Key Restrictions

Useful authorized_keys file restrictions:
from="list"
Can list hosts explicitly, using wildcards, using negation, etc.

command="command arg1 arg2"
Do not run remote command or create interactive shell.  Instead, force 'command' to run.

no-port-forwarding, no-X11-forwarding, no-agent-forwarding, no-pty
Don't allow port forwarding, X11 forwarding, SSH-Agent forwarding, or grant a TTY, respectively.

permitopen="list"
Only allow LocalForwards that have destination host:port combinations in the list.