Leave password unset and make SSH keys:
# useradd -s /sbin/nologin dbuser
(on local machine) $ ssh-keygen (on remote machine) # su -s /bin/bash - dbuser $ cat local_id_rsa.pub >>~/.ssh/authorized_keys
ssh will go to background immediately after authenticating, and will not attempt to execute any command, but the tunnel will be open. However, SSH will not execute any shell or command as the remote user; /sbin/nologin will kick it out every time.
ssh -TfnN -L localhost:<local_port>:localhost:<db_server_port> [email protected]_host
$ ssh [email protected]_host Last login: Fri Jun 10 09:27:24 2016 from local_host This account is currently not available. Connection to remote_host closed.