AUTHORIZED_KEYS FILE FORMAT
     AuthorizedKeysFile specifies the files containing public keys for public key authentication; if this option is not specified, the default is ~/.ssh/authorized_keys and
     ~/.ssh/authorized_keys2.  Each line of the file contains one key (empty lines and lines starting with a ‘#’ are ignored as comments).
     
(...)

command="command"
             Specifies that the command is executed whenever this key is used for authentication.  The command supplied by the user (if any) is ignored.  The command is run on a pty if the
             client requests a pty; otherwise it is run without a tty.  If an 8-bit clean channel is required, one must not request a pty or should specify no-pty.  A quote may be included
             in the command by quoting it with a backslash.
(...)
from="pattern-list"
             Specifies that in addition to public key authentication, either the canonical name of the remote host or its IP address must be present in the comma-separated list of patterns.
             See PATTERNS in ssh_config(5) for more information on patterns.
(...)
no-port-forwarding
             Forbids TCP forwarding when this key is used for authentication.  Any port forward requests by the client will return an error.  This might be used, e.g. in connection with the
             command option.
no-X11-forwarding
             Forbids X11 forwarding when this key is used for authentication.  Any X11 forward requests by the client will return an error.
(...)
restrict
             Enable all restrictions, i.e. disable port, agent and X11 forwarding, as well as disabling PTY allocation and execution of ~/.ssh/rc.  If any future restriction capabilities
             are added to authorized_keys files they will be included in this set.