Originally Posted by Minstrel
Shell can be anything, really, as the user shouldn't be able to gain a shell, but /bin/false means they can't do anything if they manage to.
I'll have to look into the options for installing /bin/false in Mac OS X, thank's for the tip.
As for the directory ownership, root:admin should do the job - it's the root ownership that's most important.
I was able to chown to 0:0 (root:wheel).
The directory structure for the chroot jail is this:
Here are the permissions for jail path:
/ permissions: drwxrwxr-t + 33 root admin 1224 Jul 10 11:10 .
/webhome permissions: drwxr-xr-x + 3 root wheel 102 Jul 10 11:10 .
/webhome/web permissions: drwxr-xr-x + 6 root wheel 204 Jul 7 11:32 .
subdirectories within web are chown/chmod'd with user permissions to write. (ie /webhome/web/site1/ etc)
If I comment out the jail settings in sshd_config, the jailed users are able to login just fine. Re-enabling the jail I get the error in /etc/secure.log: "fatal: bad ownership or modes for chroot directory component "/"" wether I ssh in or sftp in.