...they can only access this via the local LAN
It's trivial to configure SSH to restrict user login to particular addresses using some combination of AllowUsers and DenyUsers.
From
man sshd_config:
AllowUsers
This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of
the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the
form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are
processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
The same applies to
DenyUsers, except such users are denied access.
Which one you'd use depends on your network architecture and how restrictive you want to be. From your description it sounds like you could use something like:
DenyUsers username@
,!192.168.1.
This will prevent the user
username from logging on from any IP address except those in the 192.168.1.x subnet.
Add this line to /etc/sshd_config on the server and you're set.
As for:
...give someone SSH access to a specific directory (and its sub-directories) on my Xserve
You can achieve this via
chroot, although it's a little more complex to setup.
Provided your server is running 10.5.4 or later (IIRC chroot support was only added then), you can add the following to /etc/sshd_config:
Match User username
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /var/sftp
Now when the user
username logs on they will see /var/sftp as being the root drive of the system (so their home directory may now be /var/sftp/Users/username.
There are some specific permission requirements for chroot - for example, the /var/sftp directory needs to be root-owned, but it's not hard to find documentation on the requirements.
Note that the various *Forwarding options are disabled to prevent this user from opening ports on the server once they're logged in.