Oct 10, 2018

How to create an SSH user only for tunnel

You can add a user without a valid login shell:
# useradd -s /sbin/nologin dbuser
Leave password unset and make SSH keys:

(on local machine)
$ ssh-keygen

(on remote machine)
# su -s /bin/bash - dbuser
$ cat local_id_rsa.pub >>~/.ssh/authorized_keys
At this point, you can use SSH to create the tunnel:
ssh -TfnN -L localhost:<local_port>:localhost:<db_server_port> [email protected]_host
ssh will go to background immediately after authenticating, and will not attempt to execute any command, but the tunnel will be open. However, SSH will not execute any shell or command as the remote user; /sbin/nologin will kick it out every time.

$ ssh [email protected]_host
Last login: Fri Jun 10 09:27:24 2016 from local_host
This account is currently not available.
Connection to remote_host closed.