For LOAD (Linux Open Administration Days), I had to provide shell access to a few people in order to maintain the Drupal site. Since this is a multisite Drupal installation, simply providing shell access would be a huge security issue.
Here's how I secured it as much as possible:

Step 1: create an ssh chroot jail

cd /usr/local/sbin
wget http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroo...
chmod 700 /usr/local/sbin/make_chroot_jail.sh

I adapted the script to include vi. Next I created a user.

make_chroot_jail.sh user1 /bin/bash /home/user1

When the script asks to overwrite /bin/bash just say yes. Then:

make_chroot_jail.sh update /bin/bash /home/user1

After that, add this to /etc/ssh/sshd_config:

[...]
Match User user1
    ChrootDirectory /home
    AllowTCPForwarding no
    X11Forwarding no

and as a final step:

/etc/init.d/ssh restart
chmod 700 /home/user1

Step 2: allow access to the drupal files

My drupal installation is in /srv/drupal, and thus sites are in eg /srv/drupal/site1.
We don't want to give the user access to settings.php, but we do want them to be able to access themes, modules, files and tmp.

First we need to create some directories:

cd /home/user1/home/user1
mkdir -p website/themes
mkdir website/modules
mkdir website/files
mkdir website/tmp

Then we need to mount the original dirs to the new ones, since we can't softlink outside a chrooted environment:

mount --bind /srv/drupal/sites/site1/files /home/user1/home/user1/files
mount --bind /srv/drupal/sites/site1/modules /home/user1/home/user1/modules
mount --bind /srv/drupal/sites/site1/themes /home/user1/home/user1/themes
mount --bind /srv/drupal/sites/site1/tmp /home/user1/home/user1/tmp

Step 3: enable OTP (One Time Passwords)

Enable OTP as per the excellent instructions by Bert.