I often use the "command" state in authorized_keys to execute pre-used
command="/etc/init.d/my_script" ssh-rsa AAAAB3NzaC1yc...

In this way, my students can connect to my server and only execute the
commands I allow in authorized_keys.
But this morning, a student came ans showed me that he has got full
shell access to my server.

The reason is that i tried the "screen" command last week which allow
to attach and detach a shell when connecting.
I found this command very usefull and wanted to use it automatically
when connecting. Then I put the "screen -r" command in my .bashrc to
automatically attach a screen window when i connect.

This is the bad thing, if there is a screen in background, a student
connecting, who should only be able to execute a unique command, get
full access.

Is this normal ? is there any way to change this ?
For the moment i commented the "screen -r" command in .bashrc and it
is ok.