I did, indeed, use OpenSSH's internal-sftp feature. The hosting OS is OpenBSD.
In /etc/ssh/sshd_config, I have:
Code:
# override default of no subsystems
#Subsystem sftp /usr/libexec/sftp-server
Subsystem sftp internal-sftp
Match User carpetsmoker
ChrootDirectory /home/carpetsmoker
AllowTcpForwarding no
ForceCommand internal-sftp
Through experimentation, I discovered I needed to enable internal-sftp before the Match, and have ForceCommand the last entry within the Match.