authpf user lockdown

Hey guys,

Sorry to bother with what might be super trivial matters/questions, but I wasn't sure if its a "networking" question.

So, I am trying to set up a dual step authentication gateway using authpf. What I want to be able to happen is,
->user logs in via ssh
->while he/she has session open I have rules loaded on per user bases.
->while logged in via ssh, the user is chrooted and stripped of all privileges, as close to a daemon nologin class as I can get.

So the step three is what I am trying to solve. I can make some directories names as users and do
And than make directories named appropriately, but make root own them.

However, wouldn't the authpf user, which is part of no relevant groups and owns no files/directories still be able to issue commands?
Is there a way of me stopping that?
Basically I want the ssh session to be a type of "turn-key" where when a user can connect using it, and than load appropriate rule set automatically that lets him/her talk to services on my network. As soon as ssh session is terminated, the ruleset is unloaded.

Or is it not possible to do something like that safely and I should just accept the risks?

p.s. Additionally, is there anything that exists that can both modify pf ruleset on the fly and perform authentication but does not use ssh to do it? Or would something like this have to be written from scratch? I guess something like ngnix serving a page with log in info which than signals to load appropriate anchor?