Disabling all commands over SSH

from man sshd_config:

ForceCommand

Forces the execution of the command specified by ForceCommand ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of “internal-sftp” will force the use of an in-process sftp server that requires no support files when used with ChrootDirectory

this lets you use a shell wrapper that lets only do specific things. one example is rssh.

If you only want this restriction for specific users, use the command=cmd option in the known_hosts file (documented in man sshd)

One method, while not perfect, would be to create a separate partition for the users home directories any locations which they have write access. The simply mount those partitions noexec.

Proper setup of file-system permissions will generally be very effective to limit the damage that can be done.

If the users are not at least somewhat trusted, then perhaps it is a bad idea to give them SSH access at all. Perhaps you need to setup VMs for them and confine each to their own environment.

Maybe setting up a chroot environment for your users could help. See How can I chroot ssh connections?