You have to set up a chroot for your users, using something like
scponly. Rssh is similar, but in my experience scponly is much easier to set up.
The webpage seems to be down for me atm, but if you search around you'll probably find the source, as scponly is included in a few distributions.
The process is pretty much:
su - (you have to be root, otherwise the configure script won't find useradd, and thus the script used for creating chroots won't work)
./configure --enable-chrooted-binary (you may want to disable scp functionality, --help for more.)
make && make install
make jail
The make jail script included has a couple of limitations, namely:
* it can only create per-user chroots
* it can't just update libraries/binaries in a chroot (in case of security fixes, etc)
I wrote a script which handles those things, PM me if you want it.