Safe FTP/SFTP access questions
We're a company that builds web sites (among other things) and are transitioning from moving most of our clients from various crappy shared hosting accounts to our own FreeBSD-powered web server. Some of them got used to the idea of having FTP access to their accounts at the shared hosting services - for example, a photographer who often sells prints and used equipment via eBay wants to be able to host photos for his auctions from his webspace without having to use some cheesy web-based file uploader to get the files uploaded. Previously, we just had accounts/access for the sysadmins, but it was becoming clear that that's going to be untenable. So after reading up on it in Absolute FreeBSD, I created some chrooted user accounts with /dev/null as their shell and fired up ftpd via inetd.
I'd prefer to have people be able to connect via SFTP, but it looks like doing this chrooted will be some big huge ugly affair involving setting up jails and using the sftponly shell, which is really more complicated than I think it should be. Is there any way to simply say, "Okay, behave just like ftpd is now, but also allow SFTP connections?"
Also, is there any way to make it so these users can absolutely, positively never set the execute bits on any file they upload?
Any other security tips for this sort of a situation would be appreciated. Thanks in advance.