A very flexible and easy way to restrict the login is the pam_listfile module. It allows you to restrict the login to single users or groups. The allowed users and/or groups are listed in a simple configuration file. One entry per line. Thats all.
But first you have to change your pam (for the noobs: pam == pluggable authentication modules) configuration a little bit. Here you can see a simplified configuration for the sshd login on a debian box:
# PAM configuration for the Secure Shell service
# Allow only users who are in the groups listed in /etc/logingroups
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/logingroups
# Standard Un*x authentication.
@include common-auth
# Standard Un*x authorization.
@include common-account
# Standard Un*x session setup and teardown.
@include common-session
# Standard Un*x password updating.
@include common-password
At least add all groups, which should be able to login, to the /etc/logingroups file. Don't forget to add the root group if you want allow root logins via ssh.
You can do the same with users. Simply change item=group into item=user and choose another name for the file attribute.
There may be other possibilities to restrict logins, but I believe this one is really elegant. Naturally, you can use the module also with other pam based services (eg login) too.
