Howto disable SSH local port forwarding?
Another solution would be to only allow port forwarding to specififc users:
From SSH: The definitive guide
Port forwarding can be globally enabled or disabled in sshd. This is done with the serverwide configuration keyword AllowTcpForwarding in /etc/sshd_config. The keyword may have the value yes (the default, enabling forwarding) or no (disabling forwarding):
# SSH1, SSH2, OpenSSH
AllowTcpForwarding no
In addition, SSH2 has the following options:
# SSH2 only
AllowTcpForwardingForUsers
AllowTcpForwardingForGroups
The syntax of these is the same as for the AllowUsers and AllowGroups options. [Section 5.5.2.1, "Account access control"] They specify a list of users or groups that are allowed to use port forwarding; the server refuses to honor port forwarding requests for anyone else. Note that these refer to the target account of the SSH session, not the client username (which is often not known).
...
It's important to realize that the directives in this section don't actually prevent port forwarding, unless you also disable interactive logins and restrict what programs may be run on the remote side. Otherwise, knowledgeable users can simply run their own port-forwarding application over the SSH session. These settings alone might be a sufficient deterrent in a nontechnical community, but they won't stop someone who knows what she's doing.
anyone with login credentials can bring up their own instance of sshd, running on a random port and allow whatever they want, including -L local forwardings:
% /usr/sbin/sshd -d -f mysshd.config -p 12345
if you do not trust the users to do something with your machine then you shouldnt allow them to login in the first place.
(btw, the -D flag is kind of "proxy-problematic" as well)
There is now an option to allow only local / remote forwarding.
AllowTcpForwarding Specifies whether TCP forwarding is permitted. The available options are “yes” or “all” to allow TCP forwarding, “no” to prevent all TCP forwarding, “local” to allow local (from the perspective of ssh(1)) forwarding only or “remote” to allow remote forwarding only. The default is “yes”. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.
So, as stated already you should set the shell to nologin, too.