You're best bet is to have them call you when they're ready to do. You log in, shut it down, they can install the memory and bring it back up. You should be monitoring during this process anyway to make sure the server comes back online.
Give the vendor a non-privileged user account, and see if setting the SUID bit on "shutdown" will do the trick.
It would be prudent to remove the "rx" permissions for "others", and do a "chgrp" on "shutdown" from "root" to some new group. (For example, you might call the new group.... "shutdown".) Put the vendor's account in that group.
By default the user at the console can halt the box.
I think I'd forgotten that. Seems odd that this is the case, though I guess if you've got physical access you're not far from the power cord anyway.
I can tell you that 'shutdown -h now' in an ssh terminal session on your server looks almost exactly like the same command on a terminal session on your linux desktop. It looks enough alike that one might shut down some webservers at the datacenter thinking they were shutting down their local pc :).