How to Setup SSH Key limited to Creating a Tunnel

For a given key I was intending to prevent any interaction except for starting an SSH tunnel to a particular local port. Turns out that for each key in ~/.ssh/authorized_keys you can add so called login options, by preppending them to the key, like that:

option="value",option-without-value,another-option <KEY ...> <COMMENT>

This combination of options seem to do the trick:


Let me go through each of them individually:

So in total it's:

command="",restrict,port-forwarding,permitopen="localhost:80" ssh-rsa AAAAB3NzaC1yc2EAAA[...]3c7rmJT5/

Make sure it's all in one line and there are is no whitespace between the options.

I've been able to figure this out mainly by reading Client Configuration Files chapter of OpenSSH WikiBook, so the majority of credit goes to it's authors (Lars Noodén et al.). Missing part was port-forwarding - without it forwarding is forbidden even though permitopen would suggest otherwise.

Here is some more background: