Certain programs, especially text editors and pagers, have a handy shell escape feature. This allows a user to run a shell command without having to exit the program first. For example, from the command mode of the Vi and Vim editors, someone could run the ls command by doing :!ls.
You can fix this problem by having sudoedit instead of vim:
<USERNAME> ALL=(ALL) sudoedit /etc/ssh/sshd_config
sudoedit has no shell escape feature, so you can safely allow someone to use it.
Other programs that have a shell escape feature include the following:
- emacs
- less
- view
- more