How i can restrict certain file extension upload via ssh?

OpenSSH doesn't natively have these facilities, though you might be able to partly do this with commercial products (CrushFTP, Linoma or Barracuda come to mind).

If you want to apply content-filtering to uploads you can do this with OpenSSH by allowing users to upload to an incoming spool, and periodically scanning and moving approved content to an outgoing spool, this also works for A/V scanning. incron should help with this. It won't work effectively for size-based uploads if your intention is to save bandwidth, file size is part of the scp protocol, this requires a client to advise, but not necessarily honour file size.


Update: since OpenSSH allows delegating the sftp server to an external process (via Subsystem in sshd_config) you could implement your own SFTP server. The perl Net::SFTP:SftpServer module is a complete implementation, and the documentation has a working example (make sure to install all its dependencies, setup syslog correctly so it logs, and remove the ARGV tests if you do not make this script the user's shell).

It has a configurable maximum file size setting, and it supports callback functions for file transfer events, allowing you to inspect the file name (and content) — though the callbacks are only invoked after completion of the transfer.

You could trivially patch the makeSafeFileName() function in SftpServer.pm to add your filename conditions, it already has a (configurable) regex test for valid filenames (though note this applies to all names including directories); or, add an extra test for $filename in function processOpen() which handled file opens (probably better).

You can enable it globally in sshd_config with Subsystem sftp ..., or you can selectively use it via ForceCommand for a group of users:

Match Group sftplimited
    ForceCommand /usr/local/bin/sftp-server.pl