diff --git a/data/hooks/diagnosis/70-regenconf.py b/data/hooks/diagnosis/70-regenconf.py
index 5ab1e3808..b8551f5fe 100644
--- a/data/hooks/diagnosis/70-regenconf.py
+++ b/data/hooks/diagnosis/70-regenconf.py
@@ -35,6 +35,16 @@ class RegenconfDiagnoser(Diagnoser):
                     details=["diagnosis_regenconf_manually_modified_details"],
                 )
 
+        if any(f["path"] == '/etc/ssh/sshd_config' for f in regenconf_modified_files) \
+            and os.system("grep -q '^ *AllowGroups\\|^ *AllowUsers' /etc/ssh/sshd_config") != 0:
+                yield dict(
+                   meta={
+                       "test": "sshd_config_insecure"
+                   },
+                   status="ERROR",
+                   summary="diagnosis_sshd_config_insecure",
+                )
+
     def manually_modified_files(self):
 
         for category, infos in _get_regenconf_infos().items():
diff --git a/locales/en.json b/locales/en.json
index 027fe981e..840d359ed 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -269,6 +269,7 @@
     "diagnosis_unknown_categories": "The following categories are unknown: {categories}",
     "diagnosis_never_ran_yet": "It looks like this server was setup recently and there's no diagnosis report to show yet. You should start by running a full diagnosis, either from the webadmin or using 'yunohost diagnosis run' from the command line.",
     "diagnosis_processes_killed_by_oom_reaper": "Some processes were recently killed by the system because it ran out of memory. This is typically symptomatic of a lack of memory on the system or of a process that ate up to much memory. Summary of the processes killed:\n{kills_summary}",
+    "diagnosis_sshd_config_insecure": "The SSH configuration appears to have been manually modified, and is insecure because it contains no 'AllowGroups' or 'AllowUsers' directive to limit access to authorized users.",
     "domain_cannot_remove_main": "You cannot remove '{domain:s}' since it's the main domain, you first need to set another domain as the main domain using 'yunohost domain main-domain -n <another-domain>'; here is the list of candidate domains: {other_domains:s}",
     "domain_cannot_add_xmpp_upload": "You cannot add domains starting with 'xmpp-upload.'. This kind of name is reserved for the XMPP upload feature integrated in YunoHost.",
     "domain_cannot_remove_main_add_new_one": "You cannot remove '{domain:s}' since it's the main domain and your only domain, you need to first add another domain using 'yunohost domain add <another-domain.com>', then set is as the main domain using 'yunohost domain main-domain -n <another-domain.com>' and then you can remove the domain '{domain:s}' using 'yunohost domain remove {domain:s}'.'",
diff --git a/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py b/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py
index 97d4ee2fd..52d813d32 100644
--- a/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py
+++ b/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py
@@ -1,4 +1,5 @@
 import subprocess
+import os
 
 from moulinette import m18n
 from moulinette.utils.log import getActionLogger
@@ -6,6 +7,7 @@ from moulinette.utils.filesystem import read_yaml
 
 from yunohost.tools import Migration
 from yunohost.permission import user_permission_update, permission_sync_to_user
+from yunohost.regenconf import manually_modified_files
 
 logger = getActionLogger('yunohost.migration')
 
@@ -49,6 +51,10 @@ class MyMigration(Migration):
         # old loginShell value ?
         subprocess.call(['nscd', '-i', 'passwd'])
 
+        if '/etc/ssh/sshd_config' in manually_modified_files() \
+            and os.system("grep -q '^ *AllowGroups\\|^ *AllowUsers' /etc/ssh/sshd_config") != 0:
+                logger.error(m18n.n('diagnosis_sshd_config_insecure'))
+
     def run_after_system_restore(self):
         self.run()