SSH Tunnelling: How can I stop users being able to access services bound to localhost via port forwarding?

view full story

http://serverfault.com – I want to be able to offer ssh accounts on my linux server for people to be able to use for SSH tunnelling. All accounts will be locked down with no interactive shell, for tunnelling / port forwarding purposes only. My problem is that I don't want them to be able to access services that are bound to localhost only by doing port forwards like the following: ssh account@server -L 9999: & telnet localhost 9999 Would give access to the default mysql database port.. How can I stop this? I see options in the configuration file for OpenSSH to allow specific ports/hosts, but not (HowTos)