From what I understand this is what you're looking for:
http://www.minstrel.org.uk/papers/sftp/builtin/
From what I can see, it's basically as simple as adding these lines to the end of /etc/ssh/sshd_config :
Code:
# These lines must appear at the *end* of sshd_config
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
The syntax is pretty self-explanatory, all users in the group sftponly are chrooted to their home directory and are forced to use sftp -- So they can't use a remote shell.
So with this solution you can even allow certain customers sftp-only access and others (Those paying more?
) full ssh access.
Also please
do read the appropriate manpages, mindlessly copy/pasting configuration directives from the internet is a recipe for disaster:
sshd_config(5),
sftp(1),
sftp-server(8)
As a sidenote, I believe
jggimi recently mentioned that he used this or a similar solution when he set up an account for me on his server, perhaps he has any additional advice or comments.