Restrictions on Secure Shell services, as described for non-privileged users in Restricting Services, do not prevent users with shell access to the system from setting up the equivalent services.
It is also possible to limit users with administrative privileges to predefined commands if shell access is not needed.
Shell access is often desired for remote administration of the
server computer. It is recommended to have users log in first to their
non-privileged user accounts and once logged in elevate their rights
using sudo
or su
especially if the
root
account is used instead of individual administrator
accounts.
The following configuration setup prevents logging directly in to the privileged accounts:
<authentication-methods> <authentication action="deny"> <selector> <user-privileged value="yes" /> </selector> </authentication> ... </authentication-methods>