SFTP ForceCommand internal-sftp

The ForceCommand directive in OpenSSH server configuration ( /etc/ssh/sshd_config ) is used to force the execution of a specific command when a user logs in, regardless of what command the user actually requested. The internal-sftp is a configuration option that forces the SSH server to use an in-process SFTP server, rather than executing the sftp-server binary as a subprocess. If you want to limit users to SFTP only and jail them to their home directories, you can do so by using ForceCommand internal-sftp and ChrootDirectory %h directives in a Match block in your sshd_config file. Here is an example:

Match User bruno
    ForceCommand internal-sftp
    ChrootDirectory %h
    PermitTunnel no
    AllowTcpForwarding no
    X11Forwarding no
    PasswordAuthentication yes

In this configuration, Match User bruno applies the configuration to the user bruno . The ForceCommand internal-sftp line forces SFTP and disables SSH for the matched user. The ChrootDirectory %h directive restricts the user to their home directory ( %h expands to the home directory of the user). The last four lines disable various forms of forwarding and enable password authentication for the user. Remember to restart the sshd service ( sudo systemctl restart sshd ) for the changes to take effect. Make sure you have another way into your server when testing, in case something goes wrong. Before applying the chroot (jail) environment, you need to make sure that the home directory of the user and the directories above it in the path are owned by root and are not writable by any other user or group. This is a requirement of the chroot functionality in the OpenSSH server.