Replace "jaileduser" with whatever you want the username to be.
Step 1 (as root) - Setup chroot environment and user. Replace fish
in the last command with whatever shell you want.
sudo su -
mkdir --parents /home/jaileduser/home
useradd --create-home --gid users --home /home/jaileduser/home/jaileduser jaileduser
usermod --home /home/jaileduser jaileduser
mkdir --parents /{etc/jail/jaileduser,var/jail/jaileduser/{cache/{key,pkg},lib}}
chown jaileduser:users /var/jail/jaileduser/cache/key
cp /etc/pacman.conf /etc/jail/jaileduser/pacman.conf
pacman --dbpath /var/jail/jaileduser/lib --root /home/jaileduser --cachedir /var/jail/jaileduser/cache/pkg --config /etc/jail/jaileduser/pacman.conf --logfile /var/jail/jaileduser/pacman.log --sync --refresh fish
mkdir --parents /home/jaileduser/var/cache/ssh
chown jaileduser:users /home/jaileduser/var/cache/ssh
chmod 700 /home/jaileduser/var/cache/ssh
sudo su - jaileduser
ssh-keygen -t ed25519 -C "jaileduser SSH key" -f /var/jail/jaileduser/cache/key/id_ed25519
cp /var/jail/jaileduser/cache/key/id_ed25519.pub /home/jaileduser/var/cache/ssh/authorized_keys
chmod 600 /home/jaileduser/var/cache/ssh/authorized_keys
exit
Step 4 (as root) - Update /etc/ssh/sshd_config to allow connection from jaileduser (assumes you're already using pubkey auth and password auth is disabled)
AllowUsers existinguser1 existinguser2 jaileduser
# must be at the end of the config file
Match User jaileduser
ChrootDirectory %h
AuthorizedKeysFile %h/var/cache/ssh/authorized_keys
X11Forwarding no
AllowTcpForwarding no
systemctl restart sshd
Now you should be able to SSH into the system using the SSH key generated in Step 3.
Alternatively, you can add another public key to jaileduser's authorized_keys file and SSH in using that.
If you can't remote in and ssh logs show something about the account being locked, try running sudo usermod --password '*' jaileduser
. See https://unix.stackexchange.com/a/193131
Create /dev/null for jaileduser: mknod -m 666 /home/jaileduser/dev/null c 1 3
Mostly based on https://charoitehllee.wordpress.com/knowledge-base/setting-up-chroot-jail-for-ssh-scp-with-arch-linux/