SFTP is often used to transfer files in addition to usual shell access in SSH, by generic users. In some scenarios, is possible to use OpenSSH SFTP server as a pure file transfer service to replace the traditional FTP service

• Create SFTP only users with a common primary group, such as ftp
• Set home to the file sharing directory for those users
• Set default shell to nologin(8) or false(1) to reject shell access for those users
• Set password for those users normally if you want to use password authentication method
• Modify sshd_config(5) (usually /etc/ssh/sshd_config), adding followings:

Match Group ftp
	ChrootDirectory %h
	ForceCommand internal-sftp
	AllowTcpForwarding no
	X11Forwarding no
	PermitTTY no
	PermitTunnel no

The above configuration mean for every users with ftp group logging from SSH, chroot(2) the session processes to their home directory, and allowing only SFTP session. If you need to use public key authentication method for SFTP users, add

	AuthorizedKeysFile /etc/ssh/ftp_authorized_keys.%u

and add public keys in /etc/ssh/ftp_authorized_keys.<user-name>.

• Restart sshd(8)

Since file transfer usually uses large amount traffic through the SSH server sshd(8); it may be desirable to switch to the High-performance SSH for sshd(8). High-performance SSH is a fork of OpenSSH that use dynamic transfer buffer size and multi-threading AES-CTR cipher implementation to improve data transfer performance for SSH. Refer to its website on how to install and tune this implementation.