I want to give a client access to my server, but I want to limit those users to their home directories. I will bind-mount in any files I want them to be able to see.

I've created a user called bob and added him to a new group called sftponly. They have a home directory at /home/bob. I've changed their shell to /bin/false to stop SSH logins. Here is their /etc/passwd line:

bob:x:1001:1002::/home/bob:/bin/false

I've also changed the /etc/ssh/sshd_config to include the following:

Match Group sftponly

        ChrootDirectory /home/%u

        ForceCommand internal-sftp

        AllowTcpForwarding no

When I try to log in as them, here's what I see

$ sftp bob@server

bob@server's password: 

Write failed: Broken pipe

Couldn't read packet: Connection reset by peer

If I comment out the ChrootDirectory line I can SFTP in but then they have free rein over the server. I have found that ChrootDirectory /home works, but it still gives them access to any home directory. I have explicitly tried ChrootDirectory /home/bob but that doesn't work either.

What am I doing wrong? How can I limit bob to /home/bob/?

----EDIT-----

Okay so I just had a look at /var/log/auth.log and saw this:

May  9 14:45:48 nj sshd[5074]: pam_unix(sshd:session): session opened for user bob by (uid=0)

May  9 14:45:48 nj sshd[5091]: fatal: bad ownership or modes for chroot directory component "/home/bob/"

May  9 14:45:48 nj sshd[5074]: pam_unix(sshd:session): session closed for user bob

I'm not entirely sure what's going on there, but it suggests something is wrong with the user directory. Here is the ls -h /home output:

drwxr-xr-x 26 oli      oli      4096 2012-01-19 17:19 oli

drwxr-xr-x  3 bob      bob      4096 2012-05-09 14:11 bob