Those "other things" could well be the source of the problem, since
Match works first-match per config directive.

[...]
No, it has the same problem with sftp but falls back to using a shell,
which works:

Opened channel for session
Primary command failed; attempting fallback
Started a shell/command
No, your server config is probably broken:

subsystem request for sftp
subsystem: cannot stat /usr/lib/openssh/sftp-server: No such file or
directory

however since you've trimmed the server logs you've removed the parts
that would have shown what Match did, so I have no idea what happened.

Please either post your entire config (or reduce your config to a subset
that you are willing to post), repeat the test with that config (use
sshd -f reduced_config if you don't use your real config) and show the
entire log.

Out of interest, how is this shell created? The default shell is
/bin/false, and sending a command through with ssh (eg `ssh
***@server ls -l .`) does nothing.

[...]
Sure,
http://www.bluebottle.net.au/sshd_config.txt
http://www.bluebottle.net.au/sftp-sshd-full.txt
http://www.bluebottle.net.au/sftp-sftp-full.txt

Now that I know psftp is doing special stuff to get a 'sftp' session
working, is the issue something relating to sftp-server not being in
the chroot? The sshd_config manpage entry for ChrootDirectory seems to
state this isn't neccessary, but I could be misreading.

AJ

Thanks for the hints, I'm on the right track.

Sadly your setup doesn't work perfectly: for one thing changing the
user's homedir to /home means that OpenSSH looks for the
authorized_keys file in /home/.ssh in the root filesystem! I suppose
this would be less of/not an issue if you used password auth, but I
can't.

What did work was this:
* Unchanged sshd_config
* User's home directory is /home/user (in /etc/passwd)
* chown root:root /home/user
* mkdir -p /home/user/usr/lib/openssh/
* cp /usr/lib/openssh/sftp-server /home/user/usr/lib/openssh/sftp-server

When you authenticate you appear chrooted in /home/user. The obvious
problem is that the user's homedir isn't writeable by them, so you
have to pre-populate subdirectories.

I'm still confused on several points though:
1. Why do I need to copy sftp-server into the chroot? The
sshd_config(5) entry for ChrootDirectory states: "For file transfer
sessions using ``sftp'', no additional configuration of the
environment is necessary if the in-process sftp server is used (see
Subsystem for details).".
1b. Are /usr/lib/openssh/sftp-server and internal-sftp different names
for the same thing?
2. Does the method I worked out above have any security issues?
3. Is there any way I can use ChrootDirectory with a user-writable
home directory?

Thanks,
AJ