How do I create a new user which has no capabilities? For instance, they should not be able to run any commands or view any directories (except for their home directory if necessary).
The only purpose of this user is to allow Machine1 to create a ssh connection to newlimiteduser@Machine2 (the machine with this limited new user), and then Machine2 can create a ssh connection back to Machine1 using the previously established ssh as a tunnel.
You can easily restrict what an SSH session can do if you use ssh keys and use the command= option in ~/.ssh/authorized_keys:
Create a key pair for the user on machine1 that should initiate the session, add the public key of it to ~/.ssh/authorized_keys of the limited user on machine 2, prepend the line with that key with something like this:
command="/bin/sleep 1000d" ssh-rsa AAAA.....
This leads to the session just sleeping for up to 1000 days. If you cancel this, the session gets terminated.
You can also do other things to further restrict the session, see man sshd at the description of the AUTHORIZED_KEYS file format.
