What we want is to allow John to connect through sftp only (no bash, no terminal) and to be limited to a set of folders.
In this example, we'll consider an existing user john, whose home directory is /home/john. You'll have to adapt the different commands to your specific case.
We need our user to customized a bit. First of all the, its home directory must be owned by root:
chown -c root:root /home/john
Also, only root should have write access here, but everyone must have read and excecute rights:
chmod -c 755 /home/john
John also have to be part of the sftp group. Create the group if you don't have it already:
groupadd sftp
Add John to the group:
usermod -G sftp john
What we want to do here, is indicating the SSH daemon to jail the users of the group sftp to their respective home directory.
This would be achieved with following instructions in /etc/ssh/sshd_config:
[...]
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
Finally, if you want this user to loose ability to connect over SSH, you can remove the access to the bash.
In /etc/passwd, find a line like
john:x:1002:1002::/home/john:/bin/sh
and change it to
john:x:1002:1002::/home/john:/bin/false
If you want a specific user to be jailed in another folder than his home folder, add this piece of configuration in
/etc/ssh/sshd_config: