Restrictions on Secure Shell services, as described for non-privileged users in Restricting Services and Restricting Services, do not prevent users with shell access to the system from setting up the equivalent services.
It is also possible to limit users with administrative privileges to predefined commands if shell access is not needed.
Shell access is often desired for remote administration of the server computer. It is recommended to have users log in first to their non-privileged user accounts and once logged in elevate their rights using
su especially if the
root account is used instead of individual administrator accounts.
The following configuration setup prevents logging directly in to the privileged accounts:
<authentication-methods> <authentication action="deny"> <selector> <user-privileged value="yes" /> </selector> </authentication> ... </authentication-methods>