Many thanks to anomie for posting this great writeup. I've pasted it below to help spread the wealth.
-------
Here's a quick recipe for your chrooted sftp daemon:
1. Create the sftp init script - <strong>/etc/init.d/sftpfoo</strong>#!/bin/bash## chkconfig: 35 60 25# description: OpenSSH chrooted sftp only daemon## Note that /usr/sbin/sftpfoo is simply a symlink to /usr/sbin/sshd#
pidfile='/var/run/sftpfoo.pid'
case "${1}" in
start ) exec -a /usr/sbin/sftpfoo /usr/sbin/sshd -f /etc/ssh/sftpfoo_config
;;
stop ) kill -9 $(cat ${pidfile})
;;
restart) stop
sleep 3
start
;;
* ) echo "Usage: ${0} (start|stop|restart)"
;;
esac
exit 0
2. Add it to chkconfig(8) consciousness and set up a symlink you'll need later.
# chkconfig --add sftpfoo# ln -s /usr/sbin/sshd /usr/sbin/sftpfoo
3. Create your sftp config file - <strong>/etc/ssh/sftpfoo_config</strong>
Port 8822Protocol 2AddressFamily inet
SyslogFacility AUTHPRIV
LogLevel INFO
PermitRootLogin no
RSAAuthentication no
PubkeyAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
UsePAM no
PidFile /var/run/sftpfoo.pid
ChrootDirectory /home/chrooted
Subsystem sftp internal-sftp
4. Create your first sftp-only user
# useradd -d /nowhere -M -s /sbin/nologin baruser
5. Create the chroot directory
# mkdir -p /home/chrooted && chmod 755 /home/chrooted
6. Start the sftp service
# service sftpfoo start
-------
Now, log in remotely as baruser, specifying port 8822. (Remember to poke a hole in your firewall for this port.)