[Twisted-Python] using conch to create a "chrooted" sftp server

[glyph at divmod.com]

I'd like to provide file-server access on my home network to a machine 
which hosts a variety of media, without exposing its entire filesystem. 
OpenSSH's sftp-server doesn't allow this, so of course I thought, I 
should use conch.

Completely replacing OpenSSH with Conch is inconvenient, however, and it 
is my only means to administer these machines, so both for the sake of 
easy packaging and making sure I don't make a mistake, I'd really like 
to keep the main SSH daemon in place but replace the sftp channel.

I *think* that means I'd need to do something with sshd_config, 
twisted.conch.ssh.filetransfer, and twisted.internet.stdio.  However, 
I'm a bit at a loss what that thing would be.

Can someone with stronger conch-fu than I give a brief description of 
how this could be done?  Ideally, I'd like some users (myself) to be 
able to access the entire filesystem, but others (the "storage" user, 
who has no shell) to only be able to access /public.  Finally I'd like 
the "guest" user to be able to access /public, but read-only, and 
/public/drop-box read-write.  I don't mind setting up UNIX permissions 
to enforce that last bit.