If you are using the SFTP SubSystem where it spawns a separate process, you could create a sftp group and only allow execution of the sftp-server
binary for that group. It will not be possible to do this with the newer internalized sftp daemon, which is specified with internal-sftp
.
If they have shell access, they will still be able to scp. Do you have a particular goal in mind?
Edit
If you want to restrict your user to only executing or utilizing a specific program, I would probably recommend a shell wrapper instead. command=
might work but it seems more likely to be fallible. I would do more testing to be sure.
A shell wrapper, such as scponly, will only allow the end-user to scp. I have modified the source of scponly before to only allow CVS execution, for example. This can also be done with a shell script but it is easier to make mistakes if you do not fully understand the scope of what you are trying to do.