I'm trying to set up a client SFTP space on an EC2 ubuntu server, with access restricted to just that user's home directory. There's only about six thousand other threads on this, and I've got most of them open in other tabs. It would appear to be straightforward.

I've done:

$ sudo groupadd loginsftp
$ sudo groupadd loginssh
$ sudo adduser sftpuser
$ sudo gpasswd -a sftpuser loginsftp
$ sudo chown root:root home/sftpuser


$ sudo su sftpuser
$ groups
> sftpuser loginsftp

The bottom of my /etc/ssh/sshd_config looks like:

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

UsePAM yes

Match Group loginssh
  PasswordAuthentication no

Match Group loginsftp
  PasswordAuthentication yes
  ChrootDirectory /home/%u
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp

.. and I've restarted ssh service.

But I don't seem to be able to restrict that user login. I can still (from my local machine):

$ sftp sftpuser@ec2-server.amazonaws.com
sftpuser@ec2-server.amazonaws.com's password:
Connected to ec2-server.amazonaws.com.
sftp> pwd
Remote working directory: /home/sftpuser
sftp> cd /var/www
sftp> ls -la

What have I overlooked?

Bah. I'm an idiot and should make sure that when I think I've restarted ssh, I have actually restarted ssh.