Restrictions on Secure Shell services, as described for non-privileged users in Section Restricting Services, do not prevent users with shell access to the system from setting up the equivalent services.
It is also possible to limit users with administrative privileges to predefined commands if shell access is not needed.
Section Disabling Root Login covers forced commands and other options for restricting administrators.
Shell access is often desired for remote administration of the server computer. It is recommended to have users log in first to their non-privileged user accounts and once logged in elevate their rights using sudo or su especially if the root account is used instead of individual administrator accounts.
The following configuration option prevents logging directly in to the privileged accounts: