chroot

lshell

I use lshell to chroot ssh/sftp users.
Put similar users into the same group.  Define the group in /etc/lshell.conf and, within that group section, define the user.
There is also a default setting for accounts not defined.
and add /usr/bin/lshell as a shell for the user
and add the user to ur specified group(sshlimited or lshell or sshonly group)

However, the utility isn’t completely bulletproof yet, Mouzannar says. “When you connect through SFTP (if you’re allowed to), lshell spawns the SFTP subsystem shipped with OpenSSH, and therefore cannot restrict its content. it should disable sftp and allow only restricted scp 

*************************************************************************************************************************
> so what I did is have lshell in /etc/passwd as the shell. Then within :
sshd_config Subsystem sftp /bin/MySecureShell -c sftp-server as the sftp server. This allows some users to have both ssh/sftp access with restrictions. If I wanted an sftp only account then change passwd to /bin/MySecureShell and they will only have sftp access. What a nice solution ! 
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
remember there a trick to navigate in filesystem with programs like VIM even in lshell

Restricting Users To Using SFTP Only

It shows what you can do to make a user use SFTP only and disallow SSH usage for that user. All you have to do is change the user's login shell to /usr/lib/openssh/sftp-server ,e.g.:

usermod -s /usr/lib/openssh/sftp-server username

/usr/lib/openssh/sftp-server must be listed in /etc/shells as a valid login shell, so if it isn't already listed, please add it to /etc/shells as follows:

echo '/usr/lib/openssh/sftp-server' >> /etc/shells 

************************************************************************************************************************
or 
chmod -s /sbin/nologin username

SFTP

edit /etc/ssh/sshd_config
Subsystem     sftp   internal-sftp /* or sftp-server helper*/
Match Group sftp
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

groupadd sftp
For any users that you wish to chroot, add them to the sftp group by using:
    # usermod -G sftp joe
    # usermod -s /bin/false joe   /*check*/ (they absolutely cannot ever get shell access)
    # chown root:root /home/joe   /*required by OpenSSH*/
    # chmod 0755 /home/joe        /* allow user to upload and download*/

With these permissions set, the user will be allowed to upload and download files, but cannot create directories or files in the root directory. In other words, if this is used for Web hosting, ensure that a subdirectory in the root directory, such as /home/joe/public_html/ is available and owned by the user; this way they can write to and create directories in /home/joe/public_html/, but cannot make changes to the root directory (/home/joe), itself.
***************************************************************************************************************************
To set up the user account if you want it to not be allowed an SSH login, you must set the shell to /sbin/nologin or /bin/false (remembering that the shell must be mentioned in /etc/shells, which these aren't in a default Gentoo setup)

In the file /etc/ssh/sshd_config disable the existing line "Subsystem sftp ..." (inserting # as first character), and add at the end of file: 

Subsystem       sftp    internal-sftp
Match Group sftponly
	# Variables for ChrootDirectory: %h ($HOME) %u ($USERNAME)
	ChrootDirectory /etc/sftp-roots.d/%u
	ForceCommand internal-sftp
	AllowTcpForwarding no
	X11Forwarding no
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
this configuration did work:
    Subsystem     sftp   internal-sftp
    ChrootDirectory /home
    ForceCommand internal-sftp
    AllowTcpForwarding no
    X11Forwarding no
usermod -a -G sftponly username
and edit selinux policy for editing ssh_home_dirs
restart sshd

SSH

Chrooting shell accounts is a little more complicated as it requires that certain device files and a shell be available in the user’s home directory. The following commands will set up a very basic chroot system on Mandriva Linux:
# mkdir /chroot
# cd /chroot
# mkdir {bin,dev,lib}
# cp -p /bin/bash bin/
# cp -p /lib/{ld-linux.so.2,libc.so.6,libdl.so.2,libtermcap.so.2} lib/
# mknod dev/null c 1 3
# mknod dev/zero c 1 5
# chmod 0666 dev/{null,zero}
# mkdir -p /chroot/home/joe
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
    
To set up the user account if you want it to not be allowed an SSH login, you must set the shell to /sbin/nologin or /bin/false (remembering that the shell must be mentioned in /etc/shells, which these aren't in a default Gentoo setup) will disable ssh logging 
**************************************************************************************************************************

tools

lshell
make_chroot_jail.sh               http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/



ref:
http://wiki.lapipaplena.org/index.php/How_to_mount_SFTP_accesses
http://en.gentoo-wiki.com/wiki/SFTP_Server#Full_SSH_or_SFTP_Jail_Based_On_User