in .ssh/authorized_keys, along with the authorized key. Now any command gets diverted to that one command. The cool trick is, that the original command is still available in the titled variable !
The allowed command can then be a more or less simple script that evaluates the variable.
A simplified example:
vi /root/bin/validate_command:
case $SSH_ORIGINAL_COMMAND in
rsync*) $SSH_ORIGINAL_COMMAND ;;
*) echo "You must be joking..."
esac
