The easiest way, as shown in the link posted by coralfang, is to use ForceCommand to lock them into SFTP and ChrootDirectory to lock them into a specific part of the hierarchy.
When you mention that a directory already exists, is that directory owned by root and writable by no-one else? If not you will have to use
mount to bind it somewhere.
Say you have the directory /home/hnasr2001/files/ that you want the user 'aaaa' to write to, but nowhere else. First create the mount point and bind mount the existing directory there:
Code:
sudo mkdir -p -m 755 /home/locked/files/
sudo chown aaaa:aaaa /home/locked/files/
sudo mount --bind /home/hnasr2001/files/ /home/locked/files/
Be careful with the permissions. The chroot target must not be writable by anyone other than root, though it may be readable by either the group or anyone for that matter. The subdirectory ./files/ does not have any constraints and can be writable by user 'aaaa' or anyone else.
Then add the group and its member(s). The group membership will take effect next log in.
Code:
sudo addgroup locked
sudo gpasswd --add aaaa locked
Put the following at the end of sshd_config:
Code:
Match Group locked
ChrootDirectory /home/locked/
ForceCommand internal-sftp -d ./files/
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Then reload the configuration.
Code:
sudo systemctl reload ssh
Upon reloading the SSH service, users in the group 'locked' will only be able to connect via SFTP. When they do connect they will only see the one subdirectory.
See "man sshd_config" and "man sftp-server" for the details on the chroot and forced command.
See "man mount" for the details on the bind mount.
