@philpem Hmm, a shell that does a chroot (and traps INT/HUP/QUIT might be useful. Right now I just have a user with /bin/sh as their shell and this as their .profile to prevent breaking out:
trap "" 1 2 3
telnet -E vax-ip-address
exit
This still has a tiny race, unless the shell actively fails upon a signal between sourcing .profile and executing its contents. Maybe I should just write a couple lines of C…