How to restrict ssh tunnel authority to a certain port?

view story

http://serverfault.com – I have a program running on remote server port 9999. As it don't support any kind of encryption and auth, I'm using the ssh tunnel to access to it. This is the command I am using: ssh -L 9999:localhost:9999 user@remotehost In order to keep this tunnel alive. I write a ssh script to monitor and restart it if anything went wrong. So, I have to store the password in the script. But, considering the possibility this client-server is hacked. I think it is better if I can restrict this tunnel to a min authority. So, is it possible to restrict the remotehost user can only used ssh tunnel forwar (HowTos)