> Set user's shell to /usr/bin/ksh -r)
> Now, every time he tries to log in via either ssh *or* sftp, I get the
> following showing up in the syslog:
> Nov 19 10:21:09 hostname sshd[811106]: User bogus not allowed because
> shell /usr/bin/ksh -r is not executable

It is literally with a space and -r. You don't use command line arguments
in the passwd(5) file.

> Anyone have any ideas? Am I missing something stupidly simple? (and yes,
> /usr/bin/ksh *is* executable)

ls -l "/usr/bin/ksh -r"

Maybe you can make a script rksh that runs ksh -r. Some systems already
have a rksh for restricted ksh. (Check if you already have rksh.)