Você pode especificar qual comando é usado no arquivo de chaves autorizado no servidor (isso substitui o comando que o usuário fornece). De acordo com man sshd (seção AUTHORIZED_KEYS FILE FORMAT):
command="command"
Specifies that the command is executed whenever this key is used
for authentication. The command supplied by the user (if any)
is ignored. The command is run on a pty if the client requests
a pty; otherwise it is run without a tty. If an 8-bit clean
channel is required, one must not request a pty or should spec‐
ify no-pty. A quote may be included in the command by quoting
it with a backslash. This option might be useful to restrict
certain public keys to perform just a specific operation. An
example might be a key that permits remote backups but nothing
else. Note that the client may specify TCP and/or X11 forward‐
ing unless they are explicitly prohibited. The command origi‐
nally supplied by the client is available in the
SSH_ORIGINAL_COMMAND environment variable. Note that this
option applies to shell, command or subsystem execution. Also
note that this command may be superseded by either a
sshd_config(5) ForceCommand directive or a command embedded in a
certificate.
Coloque no arquivo authorized_keys :
command="scp -t -- /var/tmp" ssh-rsa ......
Isso força um comando scp some_file user@server:/some/directory no cliente para
crie /var/tmp/some_file no servidor.
Verifique se o usuário não pode sobrescrever ~/.ssh/authorized_keys no servidor!
Você pode fazer mais restrições, permitindo apenas de um determinado cliente. Eu uso:
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="scp...