This is a bit of a brainstorm idea, but for securing an SSH server, a couple of basic recommendations are to disable direct root logins and enable public key authentication. However if Virtualmin is installed on the server, users (and root) can still log into it using regular passwords. An idea I had would be SSH validation, which would require users to first log in to SSH and execute a token-generating script, which would provide them with a login token to be used to validate the user in Virtualmin instead of a password.
Of course, this would only work if the following conditions are met:
- The specific user has SSH access (and is not limited to SFTP by some chroot environment)
- Public key authentication is enabled and password authentication is disabled for SSH (or else there is little to no security benefit)