Or you can just run IRC client on start. Just trap SIGINT and SIGTSTP, run simple or modified client that cannot do exec or escape to shell and you are done :)

Spoiler: set the user’s shell to any old binary, like a chat app.

Or in the authorized_keys file, prepend the public key with a specified command. This is then the only command that the user can execute when logging in with that particular key. To wit:

  command="/usr/bin/foo" ssh-ed25519 AAAA....

I suppose this will also lock the user out of sftp and scp? Because otherwise they might be able to edit the authorized_keys file and run any command.

"I suppose this will also lock the user out of sftp and scp?"

No it wont! The specified command might provide sftp, scp, telnet or stream a film.

I stream a film at funky.nondeterministic.computer on port 22

hah

made me laugh

i had no idea about that, thank you!

I'd recommend using https://github.com/gliderlabs/ssh instead, no chance of some shell escape that way.

I use a fork of that!