There are many ways to create Chroot for SSH here are 2 good links for that.
Note: Here some more info on the subject. The following article is based on an extract of the following site:
Enabling chrooted SSH
Enabling chrooted SSH is a bit complicated because we must set up a chroot environment with all programs/tools (e.g. /bin/bash, /bin/cp, etc.) that the users should be able to use. This means we must also copy all libraries that these programs need to the chroot jail. You can do this manually with the cp command, and you can find out what libraries a tool needs by using the ldd command, e.g.
We also have to create some devices such as /dev/null, /dev/zero, /dev/tty, and /dev/urandom inside the chroot jail with the mknod command.
However, this can be a tedious task. Fortunately, there’s a script that can do this for us. Found at:
First, we need to install some prerequisites:
apt-get install sudo debianutils coreutils
Then we download make_chroot_jail.sh to /usr/local/sbin and make it executable for the root user:
chmod 700 /usr/local/sbin/make_chroot_jail.
Enabling chrooted SFTP Only and disable SSH
The following article has nothing to do with the above articles of Chroot for SSH.
Here is shown what you can do to make a user use SFTP only and disallow SSH usage for that user.
All you have to do is change the user’s login shell to /usr/lib/openssh/sftp-server.
usermod -s /usr/lib/openssh/sftp-server falko
/usr/lib/openssh/sftp-server must be listed in /etc/shells as a valid login shell,
so if it isn’t already listed, please add it to /etc/shells as follows:
echo '/usr/lib/openssh/sftp-server' >> /etc/shells
This above command has to be done only once, not for every user that you want to restrict to SFTP.
Afterwards, you can log in with an SFTP client, such as FileZilla
, or for MAC Cyberduck .
Create a user for SFTP without any shell:
usermod -s /bin/false sftp
For chroot the user home directory must be owned by root and writable only by root
chown root:root /home/sftp
chmod 755 /home/sftp
The user should not be allowed to write in its chrooted home directory. So we create an upload sub-directory which belongs to the user.
Adapting sshd Configuration
chown sftp:sftp /home/sftp/upload
Subsystem sftp internal-sftp
Disable the following line with ‘#’
#Subsystem sftp /usr/lib/openssh/sftp-server
Add the following lines:
Match User sftp
Restart SSHD Daemon:
tail -f /var/log/auth.log