OpenSSH versions since 4.8 supports chroot(ed) sftp. This has been made possible by a new SFTP subsystem statically linked to sshd. There is no need to add any patches, but just needs few tweaks to the ssh configuration (/etc/ssh/sshd_config). This one step further to removing unsecure ftp service from the server.
Steps to Configure chrooted sftp
Open the sshd config file
# vi /etc/ssh/sshd_config
find and comment the line
Subsystem sftp /usr/libexec/openssh/sftp-server
then add the below after the commented above line
Subsystem sftp internal-sftp
With this change, sftp can be chrooted. Now let us update the config with rules, according to which chrooting will happen.
Let us create a group to start with
# groupadd sftpuser
Towards end of the config file /etc/ssh/sshd_config update the below configuration values
Match Group sftpuser
ChrootDirectory %h
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp
%h – means the home directory of the authenticated user and the authenticated user should below to the group sftpuser for the chrooting to happen. You may also use %u as in /var/www/vhosts/abcd.com/httpdocs/%u, where %u means username of the user.
The directory which is to be chrooted must be owned by root user with a permission of 700 or 755.