I'm a bit surprised that nobody yet used the native SSH functionality in their answer... I know I'm 4 years late but it could still be handy :)
When using SSH you should use keys for logging in; as we are talking about securing a server, disabling password login should be one of the first things you should do. So, as you are using keys, you now have the ability to allow only one single command per key by adding this in the authorized_keys file:
command="only" ssh-rsa AAABBBCC....
The only command is a whitelisting feature which allows the user to run only those commands. You do not have to make exceptions on your system(s) by changing the default binary permissions (which is an admin hell..). Make sure you set the authorized_keys file to be non-writable for the user.
The only command is a script that must be installed in /usr/bin/ with 775 permissions.
Read all about it: The Only Way For SSH Forced Commands
Now you understand how it works, you can simply whitelist any command that you allow the user to execute:
command="only cal cowsay factor figlet fortune" ssh-rsa AAABBBCC....
Or use an .onlyrules file with the proper syntax, be careful not to use any greedy regex..
----------------------
< I'm restricted >
----------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
