This is pretty straight forward, though surprisingly hard to find information about. I have tested this on CentOS 7.2 and 7.9, with OpenSSH v6.6 and v7.4.
In /etc/ssh/sshd_config
, add the following at the bottom:
Match Group sftponly
ChrootDirectory /shares/uploads
AllowTCPForwarding no
AllowAgentForwarding no
X11Forwarding no
ForceCommand internal-sftp
This forces users with the group sftponly
to only be allowed to SFTP in the directory /shares/uploads
. This should work with local groups or with realm-joined (Active Directory as well) groups.
Now restart sshd with systemctl restart sshd
.
That's it! There's no special downloads or third party tools needed.