This allows us to give semi-public access to allow friends or whoever to upload some files.
Add the following to your sshd_config:
Match Group public_users ChrootDirectory /var/public_upload AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp AuthorizedKeysFile /var/www/public_upload/%u/.ssh/authorized_keys
Make sure you're using internal-sftp for the sftp subsystem, not the old sftp-server. This forces the user to only be able to connect with the sftp subsystem.
Note that the entire chroot path needs to be owned and only modifiable by root. The AuthorizedKeysFile line is needed to use the .ssh dir inside the chroot. By default it looks in the user's homedir outside of the chroot, which may not exist.
Create the group for the users.
pw add group public_users
Now setup the user
pw add user -n friend -G public_users -d /friend -c 'sftp only user' -m -s /usr/sbin/nologin passwd friend ...
Note the homedir, /friend is relative to the chroot