Você pode restringir comandos usando o arquivo authorized_keys. Coloque command="/home/rpcall/bin/command.sh"
antes da chave, no arquivo authorized_keys, e o usuário só executará esse comando quando eles se conectarem.
Verifique a página de manual para authorized_keys, isso é da página man,
command="command"
Specifies that the command is executed whenever this key is used
for authentication. The command supplied by the user (if any) is
ignored. The command is run on a pty if the client requests a
pty; otherwise it is run without a tty. If an 8-bit clean chan-
nel is required, one must not request a pty or should specify
no-pty. A quote may be included in the command by quoting it
with a backslash. This option might be useful to restrict cer-
tain public keys to perform just a specific operation. An exam-
ple might be a key that permits remote backups but nothing else.
Note that the client may specify TCP and/or X11 forwarding unless
they are explicitly prohibited. The command originally supplied
by the client is available in the SSH_ORIGINAL_COMMAND environ-
ment variable. Note that this option applies to shell, command
or subsystem execution.
Se você precisar de mais de um comando, basicamente precisará configurar vários conjuntos de chaves e usar chaves diferentes para fornecer comandos diferentes.
Edit: Acabei de notar, o comando original está disponível na variável de ambiente SSH_ORIGINAL_COMMAND
, então você poderia realmente manipular essa entrada usando seu próprio script, fazendo algo inteligente.