Add users with no SSH access to deniedssh group?
By default, Virtualmin will configure the SSH server to prevent logins by users whose shells would not allow SSH access anyway. This is done by populating the deniedssh group, and adding it to the OpenSSH configuration.

If you would like to disable this behavious, perhaps because it is not necessary or causes domain creation to take too long, change this field to No.