Para o OpenSSH, você pode usar PermitOpen host:port
para limitar onde os usuários podem fazer o encapsulamento. Para deixá-los fazer o tunel para o MySQL que apenas escuta localmente na porta padrão:
PermitOpen LocalHost:3306
Da página man do sshd_config:
PermitOpen
Specifies the destinations to which TCP port forwarding is permitted. The forwarding specification must be one of the following forms:
PermitOpen host:port PermitOpen IPv4_addr:port PermitOpen [IPv6_addr]:port
Multiple forwards may be specified by separating them with white space. An argument of any can be used to remove all restrictions and permit any forwarding requests. An argument of none can be used to prohibit all forwarding requests. By default all port forwarding requests are permitted.