SFTP access by username or group membership?

There is no relationship between FTP and SFTP.

SFTP is a subset of SSH, not FTP, and therefore it's available to anyone who's able to ssh into the server.

You can (and should?) disable the FTP service unless you have some other use for it.

As for SFTP, the question hinges around two things - first, are you running a central directory server, or does each user have a local account on the machine? and second, do the users need shell access on the server for any other purpose?

The reason I ask is that since SFTP runs under SSH, you can use any of the SSH controls to manage access. The first one that comes to mind is AllowGroups (or, potentially, AllowUsers).

Using either of these directives will allow you to restrict access to SSH/SFTP to specific users and/or groups.

In that way you could create a group for your users (if you don't already) and then tell SSH that only that group (or list of users) are allowed to connect. For example, if you created a group called 'sshUsers' and put all the users who should be able to SSH or SFTP to the server into that group, you can then add the line:

<pre class=command>AllowGroup sshUsers</pre>

to /etc/sshd_config on your server to restrict access to that group only.

The reason I ask about the central directory is because if you're running a directory, you just need to add the group there. If the server has local accounts, though, then you need to add it in the local directory. It's not a big difference either way, just a matter of where you make the change.

where is the /etc/sshd_config directory located for a directory other than the local one?

I'm not sure what you're asking here. /etc/sshd_config is the path to the file.
You can't see this in the Finder, if that's where you're looking, since /etc is a hidden directory, so you'll need to use the terminal.

As for the chroot issue, just change the user's home directory to the directory you want them to upload to. It isn't the same as chroot since they can still manually navigate to other parts of the system, but at least it will eliminate any confusion over where to upload things.

Lastly, for now, I don't think I've ever seen FTP-SSL implemented with the built-in FTP server. I know there are third-party servers that implement it, so that may be the path you have to take. Just make sure that you can set it in FTPS-only mode otherwise users will be able to log in insecurely anyway - just having an option to use SSL isn't enough to ensure most people actually use it.

Setting up SFTP/SSH ACLs is considerably easier with 10.4. In ServerAdmin, connect to your server, do NOT choose a specific server, choose the Settings tab in the bottom right and the Access tab in the upper right. You can filter access to any service by users & groups here.

Also, sorry to say, but giving someone SFTP access is the same as shell access. There are ways around this which are very complex... either patching OpenSSH or the use of a specilized shell called scponly. Do a search for ssh and chroot or jail and you will see much information about it. I check in every year or so to see if it's more possible, but seemingly, it isn't.

Like Camelot, I have not seen any info for FTP/SSL with OS X server either.