I want to make an important point here in that while people are using the unsupported tech support shell, they are making the [B]conscious decision[/B] to make the trade-off between security and convenience. It absolutely could have better defense in depth built in, but if security is a primary concern for the folks enabling the dropbear ssh server, then they would not be doing this in the first place. As a matter of fact, the recommended security best practices is to completely disable the shell as outlined in the following kb article:
Note that when disabled, it requires a change to the advanced options of the host and then a reboot is required to re-enable tech support mode. By following this best practice, they can mitigate the need for the controls you mention.
So while I don’t disagree that these controls would be useful and important to have, they are not there today so the best option from a security perspective is to disable the shell and only use the provided and supported management options.]]>