Johan Beisser wrote:
Read the man page for ssh_config(5) and sshd_config(5), and look at restricting what your users can do. Specifically: AllowTcpForwarding, PermitOpen and PermitTunnel, combined with Match.
Thanks everyone for a great number of enlightening and helpful replies to my post! I have learned a lot. Last not least, and again, how biased I can think: When I noticed some activities by a user who was not logged on, I feared a compromise. That lead me away from the solution: reading the man pages of ssh, as I did not expect this to be 'normal' or even legal.
Thanks again! Uwe
