Being flippant for a minute, if you want your users to have access to a box but not have a shell, a tool called "secure shell" may not be the wisest choice.
Setting the default to frankly crippling levels for the primary function of a tool to accommodate an edge case seems slightly backwards to me. Host firewalls and/or disabling the option seem to be an acceptable set of hardening tasks if that use case is relevant to you.
Setting the default to frankly crippling levels for the primary function of a tool to accommodate an edge case seems slightly backwards to me. Host firewalls and/or disabling the option seem to be an acceptable set of hardening tasks if that use case is relevant to you.