OpenSSH-4.4 now supports something near to what you're looking for,
using Match and ForceCommand.

Here's an excerpt from the changelog in the release message:

This release includes the following new functionality and fixes:

* Implemented conditional configuration in sshd_config(5) using the
"Match" directive. This allows some configuration options to be
selectively overridden if specific criteria (based on user, group,
hostname and/or address) are met. So far a useful subset of post-
authentication options are supported and more are expected to be
added in future releases.

* Add support for Diffie-Hellman group exchange key agreement with a
final hash of SHA256.

* Added a "ForceCommand" directive to sshd_config(5). Similar to the
command="..." option accepted in ~/.ssh/authorized_keys, this forces
the execution of the specified command regardless of what the user
requested. This is very useful in conjunction with the new "Match"

* Add a "PermitOpen" directive to sshd_config(5). This mirrors the
permitopen="..." authorized_keys option, allowing fine-grained
control over the port-forwardings that a user is allowed to

* Add optional logging of transactions to sftp-server(8).

* ssh(1) will now record port numbers for hosts stored in
~/.ssh/authorized_keys when a non-standard port has been requested.


You should be able to perform your requested functionality now.

On 9/25/06, Brian wrote:
> Joshua Feather wrote:
> > I'm curious if anyone knows of a way to configure openssh on a
> > Solaris(8/9) and Linux system (RH4) to use port 22 for ssh and 522 for
> > sftp usikng only one installed client rather that installing seperate
> > instances to utilize seperate ports...any help woul dbe greatly
> > appreciated!

> There are a few 'solutions' but these will require that you have separate sshd
> instances and id's for both sftp and ssh for every user. ie: as someone else
> pinted out, use two separate config files conf22 and conf522.
> Essentially you have to use separate userids on these systems so that userA-ssh
> is 'locked' inside a restricted shell (eg:rbash) such that they cannot use sftp
> or other file copying utilities (this is not trivial... esp if they need access
> to editors, etc). The other account (userA-sftp) uses either rssh or scponly
> as the 'shell' and so cannot login interactively using that account.
> Finally add user*-ssh to group sshAllow and user*-sftp to sftpAllow, then use
> Deny/AllowGroup in the relevant sshd_config to prevent users gaining access to
> the other sshd (they are the same process after all and without this step they
> can still login using the other process and matching id...)
> eg:
> userA-ssh member of sshAllow
> userA-sftp member of sftpAllow
> in sshd_config22:
> DenyGroups sftpAllow
> AllowGroups sshAllow
> and in sshd_config522:
> DenyGroups sshAllow
> AllowGroups sftpAllow
> But, as I said, it's not bulletproof (can be v difficult to lock users down
> depending on what other access they require to the system), requires multiple
> userids/person (never good for auditing), in some cases users may need to
> remember multiple pwds or other tokens*, auditing requires extra steps to
> 'normalise' the user access, etc etc.
> *That said, the users could use the same keypair for both accounts, and so
> login to either system with the one identity file...policies permitting.
> I haven't checked the order in which sshd checks the config - for users that
> have both groups configured, does openssh process the deny first, or the allow,
> or in the order specified in the file? Maybe just use the Deny option to
> forbid users in that category from using the wrong sshd instance... ie:test
> whatever you implement to ensure it does what you'd expect...
> rssh:
> scponly:
> --
> g'luck
> brian