Dentro do arquivo sshd_config , que é o que configura as facilidades do sftp, você pode fazer o seguinte:
AllowGroups sftponly
Match Group sftponly
ChrootDirectory /webdocs/ABC
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication yes
Eu não acredito que isso fará curingas. Então você terá que criar instâncias separadas dessas regras dentro do arquivo.
ChrootDirectory
excerto da página de manual do sshd config
$ man sshd_config
...
ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after
authentication. All components of the pathname must be root-owned
directories that are not writable by any other user or group.
After the chroot, sshd(8) changes the working directory to the
user's home directory.
The pathname may contain the following tokens that are expanded at
runtime once the connecting user has been authenticated: %% is
replaced by a literal '%', %h is replaced by the home directory of
the user being authenticated, and %u is replaced by the username
of that user.
The ChrootDirectory must contain the necessary files and
directories to support the user's session. For an interactive
session this requires at least a shell, typically sh(1), and basic
/dev nodes such as null(4), zero(4), stdin(4), stdout(4),
stderr(4), arandom(4) and tty(4) devices. For file transfer
sessions using “sftp”, no additional configuration of the
environment is necessary if the inprocess sftp server is used,
though sessions which use logging do require /dev/log inside the
chroot directory (see sftp-server(8)
for details).