I’m using Proftpd on a shared webhosting server using PAM authentication. There’re plenty of users that I do want to have an sftp-account, but not an shell-account by default.
Because the way I configured proftpd I need to add ‘real’ linux users (also based on PAM). Which brings me to the problem right-away: The user gets shell-access at that very same time. It took some time, but I figured out this script:
#!/bin/sh
if [ "$*" != "-c /usr/lib/openssh/sftp-server" ]; then
echo "Sorry, this account can be used only for (S)FTP-access.
If you require shell-access, please contact your webhost.";
exit;
fi;
exec /usr/lib/openssh/sftp-server
After setting the the right file-permissions (-rwxrwxr-x ), and changing the shell of a user to this script, that user will have no access to bash, sh, etc 
If you are using proftpd you can add to shels: /bin/false and set it ad defautl shell for ftp users