Here are some articles showing the trick to allow a user to scp, but not regular ssh:

• http://www.snailbook.com/faq/restricted-scp.auto.html
• http://www.eng.cam.ac.uk/help/jpmg/ssh/authorized_keys_howto.html

If you add from="hostname1.com,hostname2.com" to the key in authorized_keys, you may sometimes see error message like this:

Authentication tried for username with correct key but not from a permitted host (host=1.2.3.4, ip=1.2.3.4)

This is because the ssh would do a reverse DNS lookup during login, and your local ISP's name server is not very reliable.

There is a simple way to get around this. Just edit your /etc/hosts file, and put your remote host's IP in there.