I want all users to use your public/private key to any kind access to my server. Into SSH configurations, I will setup 3 groups:
- sshaccess: Users can use shell, SFTP and tunnels;
- sftpaccess: Users can't use the shell, but can use SFTP;
- mysqlaccess: Users can't use the shell, but can use TCP Forwading to port 3306.
I will allow only theses 3 groups to use SSH connection:
AllowGroups sshaccess sftpaccess mysqlaccess
To users with sftpaccess group, I will force SFTP and lock user in your home folder:
Match Group sftpaccess
    ForceCommand internal-sftp
    ChrootDirectory %h
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
To users with mysqlaccess group, I will allow tunnel on port 3306:
Match Group mysqlaccess
    Banner no
    PermitTunnel yes
    AllowTcpForwarding yes
        PermitOpen 127.0.0.1:3306
But, let's suppouse I have the user caique and he needs:
- Acessing the SFTP, locked in your home folder;
- Acessing the MySQL Tunnel to connect with your credentials.
I don't want to create an user to SFTP an another user to MySQL Tunnel, so what is the best way to achieve this?
I don't want expose the MySQL port, therefore I use MySQL Tunnel. But, in my tests, I could not use Tunnel for users associated with sftpaccess, what am I missing?

PermitTunnel noforsftpaccess, therefore this group can't create tunnels.sftpaccessandmysqlaccessto an user, the instructions are not replaced by the last group matched?Match Group mysqlaccessbeforeMatch Group sftpaccessin yoursshd_config(but I haven't look really carefully at it, sorry).