# core hardening (example — adjust to your policy)
Port 2222
Protocol 2
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no


# For your tunneling use-case:
AllowTcpForwarding yes
GatewayPorts clientspecified

# (Optional) Restrict to your username:
AllowUsers tunnel