/etc/security Hardening? - Console Lockdown - pam_access - access.conf

use pam_acccess only for /etc/pam.d/login
remove Allow members of group 'ssh' to login.
remove +:ssh:ALL EXCEPT LOCAL

The SSH restrictions earlier was just a byproduct of not knowing how to implement this better, i.e like how it is implemented now. Now this is effectively only used for /etc/pam.d/login.

Does pam_access line

+:ssh:ALL EXCEPT LOCAL

make sense for /etc/pam.d/ssh or should pam_access be used for any other services in /etc/pam.d folder too?