To grant restricted access to a server for the purposes of forwarding a port on the user’s local machine (e.g. PostgreSQL), do the following:
Create a group for the users who should be granted restricted access:
addgroup restricted-staff
Add a user to the group:
usermod <username> -a -G restricted-staff
Set the user’s shell to /bin/false:
vim /etc/passwd
Modify the sshd_config file and add the following rules:
vim /etc/ssh/sshd_config
Match Group restricted-staff
PermitOpen 127.0.0.1:5432
X11Forwarding no
AllowAgentForwarding no
ForceCommand /bin/false
Load the new SSH server configuration:
systemctl restart ssh
The command used by the user to connect is the following:
ssh -L 5432:127.0.0.1:5432 -N <username>@<hostname>
The command will run indefinitely without displaying any output, and will keep the tunnel running for as long as the connection stays alive.