Configure SSH to allow port forwarding but no commands for particular key?

Solution 1:

You have to add no-pty,command="/bin/false" keyword before your key so it will look like this:

no-pty,command="/bin/false" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABBACzbcwCZNaN3HhHmpnaVrfZlNJ0HhPnOqEj
k2llms1OOPnEXetIlZuJw0UXbyMbhQbBl/E2wxXvXvF+jyLRR5yN6kBydM4LhjC0ej0PcH839vXd
uwJpDFjPw3s7r0VOhU1WRyk6Da6rX6shzabhQioIm3MHCjNOdywPb0k1cTj4yOxoOCOqGjmXK0
xxzTd+ZjTJqQGWzZ+8L8cVtKmU8kspYlCdhGWSv0Den36OsScnWTBn8A3X3lVJB5NkEm
BM1yKX4F6BhhD317VensEUu031PtFULeSF97IxDPmK36OFz9TPSf4d8Hp3BqtysqUlbWfEhYdHXj
+1Mn4xXZKiZhBh1DX youruser@yourhome

(This is all in a single line, I added the line breaks for readability).

Solution 2:

man sshd

Section AUTHORIZED_KEYS FILE FORMAT. You can restrict what users can port forward to simply by adding the ports and hosts you want to allow, like

permitopen="192.0.2.1:80"

Also you can restrict where do the user connect from, which commands can execute, etc.