I am going to set up a server for the purpose of SSH tunnelling and want some advice on security. I'm intending to have a dedicated installation for this purpose and want to both secure and restrict it completely to the point that it will do nothing else, not even give users a working shell, just a tunnel.

I will of course chroot it, and was looking at restricted shells on top of that, so no binaries in the chroot and a restricted shell environment as well. Of course, I've like it even more if they just had to ssh shell entirely.

Does anyone have any suggestions for an scponly style shell that doesn't give a shell prompt or any other ideas on how to best go about this?