How do I configure SSHd to permit a single command, without giving full login access to the user?

You can restrict commands using the authorized_keys file. Put command="/home/rpcall/bin/command.sh" before the key, in the authorized_keys file, and the user will only ever run that command when they connect.

Check the man page for authorized_keys, this is from that man page,

 command="command"
         Specifies that the command is executed whenever this key is used
         for authentication.  The command supplied by the user (if any) is
         ignored.  The command is run on a pty if the client requests a
         pty; otherwise it is run without a tty.  If an 8-bit clean chan-
         nel is required, one must not request a pty or should specify
         no-pty.  A quote may be included in the command by quoting it
         with a backslash.  This option might be useful to restrict cer-
         tain public keys to perform just a specific operation.  An exam-
         ple might be a key that permits remote backups but nothing else.
         Note that the client may specify TCP and/or X11 forwarding unless
         they are explicitly prohibited.  The command originally supplied
         by the client is available in the SSH_ORIGINAL_COMMAND environ-
         ment variable.  Note that this option applies to shell, command
         or subsystem execution.

If you need more than one command, you need to basically set up several sets of keys and use different keys to give you different commands.

Edit: I just noticed, the original command is available in the SSH_ORIGINAL_COMMAND environment variable, so you could indeed handle that input using your own script, doing something clever.