Passwordless SSH for "System User" with NO Login Shell

Set the crypt field to * or to !! in /etc/shadow

eg

# adduser tst  
# passwd -l tst
Locking password for user tst.
passwd: Success
# grep tst /etc/passwd
tst:x:1000:1000::/home/tst:/bin/bash
# grep tst /etc/shadow
tst:!!:17030:0:99999:7:::

At this point the user can not login because there's no valid password.

Now add a command="/thing/to/do" to the beginning of the public key in the authorized_keys file

eg

# ls -l $PWD/authorized_keys 
-rw-r--r-- 1 tst tst 431 Aug 17 17:54 /home/tst/.ssh/authorized_keys

# cat $PWD/authorized_keys
command="/bin/echo hello" ssh-rsa AAAAB3NzaC1yc2E....etcetc

Now this key can be used, but the only thing it can be used for is that forced command:

$ ssh -i ~/.ssh/id_rsa tst@test1
hello
Connection to test1 closed.

If you try to do anything else it'll fail, and still force the same command

$ ssh -i ~/.ssh/id_rsa tst@test1 reboot 
hello
$