[quoiquoi]

If the user account is only supposed to have file transfer capabilities/no shell access, add it a to a specific group e.g. `sftponly`, and only allow this group to use the `internal-sftp` command in `/etc/ssh/sshd_config`

    Match Group sftponly
    ForceCommand internal-sftp -l INFO -f LOCAL6
    AllowTcpForwarding no
    AllowAgentForwarding no
    GatewayPorts no
    X11Forwarding no

[effie]

Thank you, this seems to prevent client getting shell on the server, while allowing it to make SSHFS mounts. I've put /usr/sbin/nologin into client's row in /etc/passwd on the server as well (/dev/null would break everything including SSHFS).

Is there some way to specify that nothing except internal-sftp is allowed, as opposed to setting each option explicitly to "no"? The latter way seems error-prone, one is bound to miss some obscure option there.

And I wonder why do you suggest using the LOCAL6 log facility? In sftp-server, the default is AUTH...