There's also a command argument that can be provided in the authorized keys setup, which can force connections with a particular key to hit an entry-point application.
note, that even with ForcedCommand, sshd still executes ~/.ssh/rc in the user's name, so she can execute arbitrary command once she can write the rc file (unless disabled by PermitUserRC).