The way I solved this (on Solaris with Openssh) was to set the sftp-only user's shell to be the sftp-server binary (/usr/local/libexec/sftp-server on my Solaris openssh build). I did not have to add this to /etc/shells.Then using the information in the "Change user's default shell"hint, you can set up users that can access a server via sftp but not actually login via ssh. Once you have created your users and set up ssh on the server, you should then run the following for each user you want to restrict:
niutil -createprop . /users/joebob shell \where joebob is replaced by the short name of the user you are modifying and /usr/libexec/sftp-server is the sftp-server binary. At least, that's where it is in 10.1.5. I don't know if they've moved it in 10.2; hopefully not but you can check the location of sftp-server by looking for the "Subsystem sftp" line in the sshd configuration file /etc/sshd_config)
/usr/libexec/sftp-server
Now these users can get access to the server via sftp but can't log in with ssh.

