SFTP failing with "Match Group" clause

Question

I am attempting to set up an sftp server on ubuntu/precise on EC2. I have been successful in adding a new user that can connect via ssh, however once I add the following clause:

Match Group sftp
    ChrootDirectory /home/%u
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

I can no longer connect (at all, ssh or otherwise) and I get the message

Error: Connection refused
Error: Could not connect to server

I am able to connect with the subsystem set to:

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Any idea why the ssh server is failing with this "Match" clause? Essentially, everything is working except for the "chroot" part.

Answer 1

Ok, solved the issue:

2 things were causing a problem

1. I had to move the "Match" Clause to the END of the file, it was in the middle
2. There was a permissions issue - found the answer elsewhere that fixed it

from: https://askubuntu.com/questions/134425/how-can-i-chroot-sftp-only-ssh-users-into-their-homes

"All this pain is thanks to several security issues as detailed here. Basically the chroot directory has to be owned by root and can't be any group-write access. Lovely. So you essentially need to turn your chroot into a holding cell and within that you can have your editable content.

sudo chown root /home/bob
sudo chmod go-w /home/bob
sudo mkdir /home/bob/writable
sudo chown bob:sftponly /home/bob/writable
sudo chmod ug+rwX /home/bob/writable

And bam, you can log in and write in /writable."