The following example shows how to restrict a public key in the authorized_keys (.ssh directory) file to only run the specified command, along with other restrictions on the connection. The limitations must be listed on one line, prior to the lengthy public key data.

command="rsync --server -v --timeout=999 --delete-excluded . backup/client",↵ no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3Nza…