I want to limit the user to doing only rsync so that I can very tightly control what the user can do. (Mainly I want to disallow any uploads and allow downloads from only one dir.)
I was indeed using the wrong jk_lsh.ini file - my bad, I did not read the example carefully. After editing the correct ini file (and following the man page example for the ini file) I am pleased to report that it works.
I have been advised that setting up a jail is too error prone and we should just use permitopen and no-pty options in ~/.ssh/authorized_keys. Anybody have opinions (or better, experience) regarding the tradeoffs?