10.4 server won't allow a user to log in without a “valid” shell. So here's a workaround (many thanks to unixgeek!!):
> /etc/shells
Set ‘/usr/bin/false’ as the user's shell According to some sources, this works also for SFTP, but I haven't been able to confirm this.