The default login shell for an account to be able to ssh is /bin/bash, this is the entry at /etc/passwd file. For the certail user to use sftp only and not ssh, login shell should be change to the path of sftp-service. See below:
ssh allowed:
testuser:x:670:670::/home/testuser:/bin/bash
sftp only allowed:
testuser:x:670:670::/home/testuser:/usr/libexec/openssh/sftp-server
When the user try to login using ssh, nothing will happen, but when sftp, it will go to sftp prompt.
