Yup, coupled with a little init script and instructions for use. Oh, and this particular method can't be used to log into your forwarding host, due to the construction of the public key.
Only wrote the script so I could add network topology reporting as well, so it can submit local MACs. Oh, and maybe automatic wifi scans. Figure you could plug those into google's geolocation services for street-level accuracy.
1. The forwarding user has no group access, and not even write permission for its own home directory.
2. Shell is /bin/false, password is disabled.
3. The SSH public key format actually takes options (man ssh-keygen, -O) which allow it to only be used for port forwarding.
Usually I go through the whole chroot rigamarole, and you certainly could here, but I got lazy and I think these directions will suffice for most people.
This makes me reasonably happy about having a passwordless login to one of my servers.
Only wrote the script so I could add network topology reporting as well, so it can submit local MACs. Oh, and maybe automatic wifi scans. Figure you could plug those into google's geolocation services for street-level accuracy.