Granting restricted SSH access for the purposes of port forwarding only

To grant restricted access to a server for the purposes of forwarding a port on the user’s local machine (e.g. PostgreSQL), do the following:

Create a group for the users who should be granted restricted access:

addgroup restricted-staff

Add a user to the group:

usermod <username> -a -G restricted-staff

Set the user’s shell to /bin/false:

vim /etc/passwd

Modify the sshd_config file and add the following rules:

vim /etc/ssh/sshd_config

Match Group restricted-staff
    PermitOpen 127.0.0.1:5432
    X11Forwarding no
    AllowAgentForwarding no
    ForceCommand /bin/false

Load the new SSH server configuration:

systemctl restart ssh

The command used by the user to connect is the following:

ssh -L 5432:127.0.0.1:5432 -N <username>@<hostname>

The command will run indefinitely without displaying any output, and will keep the tunnel running for as long as the connection stays alive.