controlled at OpenSSH_6.0p1, Debian-4+deb7u2
If I write commands with # – that is root permission required. Remember to use sudo instead of root console.
1. in /etc/ssh/sshd_config add
Match group groupforscponly
ChrootDirectory ~
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
note that man sshd_config allows some variables as %h (for home dir) and %u (for username) and etc.
2. add user that is belong to groupforscponly
3. inside home directory for created user make same path as the home directory. E.g. for user with home directory /home/user, you must create /home/user/home/user directory. E.g. # mkdir -p /home/user/home/user
4. change ownership for created user’s home to root, e.g. # chown root /home/user
5. give write permission for user to /home/user/home/user, e.g. # chown user /home/user/home/user && chmod u+rwx /home/user/home/user
6. restart sshd, e.g. # /etc/init.d/sshd try-restart
after this you will have user that is restricted to own directory and limited to scp only.