1. The forwarding user has no group access, and not even write permission for its own home directory. 2. Shell is /bin/false, password is disabled. 3. The SSH public key format actually takes options (man ssh-keygen, -O) which allow it to only be used for port forwarding.

Usually I go through the whole chroot rigamarole, and you certainly could here, but I got lazy and I think these directions will suffice for most people.

This makes me reasonably happy about having a passwordless login to one of my servers.