These are server side configuration settings. They were added to /etc/ssh/sshd_config on the server I gave carpetsmoker access to.
Note that these were for sftp connectivity only. No shell access. For shell access, you would have to set up a complete chroot(8) environment, as discussed in the sshd_config(5) man page under ChrootDirectory.
Let us review each of those configuration statements from above, and what they meant.
Code:
Match User carpetsmoker
The lines under the "Match" were used whenever the userid of the connecting user was carpetsmoker. For other users, those lines were ignored.
Code:
ChrootDirectory /home/carpetsmoker
I locked carpetsmoker to the directory structure under /home/carpetsmoker. For that userid, his root directory "/" was "/home/carpetsmoker" -- he had no access to any other structure.
Code:
AllowTcpForwarding no
I did not permit any port forwarding for carpetsmoker. No SOCKS proxy, no tunnels.
Code:
ForceCommand internal-sftp
No shell access was permitted, only sftp connection, and only using the internal-sftp subsystem.