It’s nothing new or novel but I don’t recall this sort of minutiae off the top of my head.

Recently I needed to limit SSH access for a service account (jenkins) to only be able to tunnel to a specific port on a specific host. I was able to do this using .ssh/authorized_keys file wizardry. Behold:

command="echo 'This account can only be used for database access'",no-agent-forwarding,no-X11-forwarding,permitopen="<mysqlhost>:3306" ssh-rsa AAAAB...[snip]

All the details are in the ridiculously complete sshd man page.