For a given key I was intending to prevent any interaction except for starting an SSH tunnel to a particular local port. Turns out that for each key in
~/.ssh/authorized_keys you can add so called login options, by preppending them to the key, like that:
option="value",option-without-value,another-option <KEY ...> <COMMENT>
This combination of options seem to do the trick:
Let me go through each of them individually:
disallows any command to be executed using this key
Disable all options, such as TTY allocation, port forwarding, agent forwarding, user-rc, and X11 forwarding all at once.
Enables TCP port forwarding, but see below.
Limits TCP port forwarding to local port
80. That's the only thing this key should allow.
So in total it's:
command="",restrict,port-forwarding,permitopen="localhost:80" ssh-rsa AAAAB3NzaC1yc2EAAA[...]3c7rmJT5/ email@example.com
Make sure it's all in one line and there are is no whitespace between the options.
I've been able to figure this out mainly by reading Client Configuration Files chapter of OpenSSH WikiBook, so the majority of credit goes to it's authors (Lars Noodén et al.). Missing part was
port-forwarding - without it forwarding is forbidden even though
permitopen would suggest otherwise.
Here is some more background: https://superuser.com/a/1231232/195460