OK, if you want to have that architecture, but do it all real slick likes, then look at a freenx implementation instead. no actual ssh possible, no vnc sessions idling around. Basically you have a special user which is logged into over ssh. once that user is logged in, a vnc server for the actual user is started up and tunnelled over the existing ssh connection so there is no additional services running - something that really made me smile when I first saw it.
I'm sure there's a certain formal shell you can run which will also give this behaviour. Ideally you just don't want to allow execution of a remote command. If you check the ssh manpage you'll see the -N option which is the behaviour you want to force from the server side right? No sign of a sshd_config option for that. You can write a script such as:
which will open a terminal for 3 minutes and, apparently, close *IF* there is nothing runnign over the tunnel, so that's quite nice. You could expand this and start the vnc server before the sleep incase it's not running. freenx is nicer though.