I figured I’d write down as I fix a basic sandboxing for my web users on my VPS. In my haste to set up the domains earlier I missed that they could pull down the entire filesystem. Oops :). Here’s a small how-to enable sandbox (chroot) in OpenSSH.
Add the following lines to /etc/ssh/sshd_config. It will match any user in the sftpusers group for the sandboxing.
Match Group sftpusers
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding noCreate and set home directory for said user. I moved my sites to their own /home/ directory.
mkdir /home/<username>
usermod <username> -d /home/<username>
usermod <username> -G sftpusers -aThis should now sandbox the user to it’s own home directory.
More detailed info and the guide I followed found here: https://wiki.archlinux.org/index.php/SFTP_chroot