I agree. If you don't trust him at all then you should think twice before allowing him to (ab)use your server as a conduit. Whatever he does will point to your IP address.
If you're doing this anyway try this:
- create an unprivileged user account and set an inert shell (/bin/false or /sbin/nologin),
- clear out his ~/ directory, create a ~/.ssh/ directory and generate a key for him with a good difficult pass phrase,
- give him the private key and stick the public part in ~/.ssh/authorized_keys.
- prefix the key data with
(key sig after the space) to deny allocating a pseudo-TTY, deny X11 forwarding, only allow him to connect from within a certain IP range and only allow him to open a specific port on your server.
- ensure access permissions are as needed then 'chattr =iu -R' his home directory to ensure nothing can be dropped there,
- additionally set some firewall rules for restricting and limiting traffic rates if your OpenVZ comes with the required modules, and
- additionally set some /etc/audit/audit.rules to track usage and ensure you read logs that Logwatch creates (you do run reporting, right?).
YMMV(VM) but I HTH