问如何将用户限制在他/她的文件夹？

EN

Subsystem sftp internal-sftp
Match Group sftp
        ChrootDirectory /home/%u
        ForceCommand internal-sftp
        AllowTcpForwarding no

service ssh restart

Job for ssh.service failed because the control process exited with error code. See "systemctl status ssh.service" and "journalctl -xe" for details.

 ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sat 2016-12-10 19:07:57 CET; 27s ago
  Process: 1928 ExecStart=/usr/sbin/sshd -D $SSHD_OPTS (code=exited, status=255)
 Main PID: 1928 (code=exited, status=255)

Dec 10 19:07:57 vps307796 systemd[1]: Starting OpenBSD Secure Shell server...
Dec 10 19:07:57 vps307796 sshd[1928]: /etc/ssh/sshd_config line 93: Directive 'UsePAM' is not allowed within
Dec 10 19:07:57 vps307796 systemd[1]: ssh.service: Main process exited, code=exited, status=255/n/a
Dec 10 19:07:57 vps307796 systemd[1]: Failed to start OpenBSD Secure Shell server.
Dec 10 19:07:57 vps307796 systemd[1]: ssh.service: Unit entered failed state.
Dec 10 19:07:57 vps307796 systemd[1]: ssh.service: Failed with result 'exit-code'.

#  Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

        Match Group sftp
        ChrootDirectory /home/%u
        ForceCommand internal-sftp
        AllowTcpForwarding no