Actually, a potentially good idea might be to set up an 'smscon' user on the server machine, with no privileges and no login shell. Then, in the N900's /home/user/.ssh/config, specify for the server host the specific private key (with IdentityFile) to be used to connect to the server, and specify the User as smscon. You would then need to generate a special key pair for the smscon user, with no passphrase. That way, your normal private keys can have passphrase protection, but the one used by SMScon to make the ssh connection to the server can't compromise accounts on other machines, but should be able to set up the tunnels. I've not actually tried this, but I think it could work in practice.