Sometimes it is preferable to disallow direct ssh access for specific users or groups.

Within the Bonsai Framework, we often use this for service accounts. This is done to create better traceability. Staff must first log in with their own account (now there is a log of who the user is) and then sudo into the service group.

This is accomplished by modifying /etc/ssh/sshd_config.

Deny SSH Access for Users

...

Deny SSH Access for Groups

We usually start with this as the second approach because adding a denied group (for legitimate case to share administration rights) to a user who normally uses ssh will break that user.