2008-10-21.

The old problem:  allow root from a particular subnet,
and all others from anywhere, in sshd_config.

This is easy if the `others' are a well-known handful, 
in which case it's just:
	AllowUsers root@n.n.n.* name1 name2
in sshd_config.

But, with a lot of users one doesn't want to have to name
each, and to update the list on every account create/delete.
Automating this list-updating would seem a bit silly compared 
to finding a direct way to effect the restriction...

(Allow|Deny)Groups doesn't allow hostnames, so
	AllowGroups  root@n.n.n.* ets
doesn't work, even if just one or a few groups would suffice 
to define all `normal' users.

The negation operator doesn't seem to work as expected: 
	DenyUsers   root@!n.n.n.* 
didn't work (I forget whether it allowed all or none!)

Working a different way, using PAM:
http://www.cyberciti.biz/tips/openssh-root-user-account-restriction-revisited.html

Add to:  /etc/security/access.conf
+ : root : LOCAL 130.237.53.0/24 .ets.kth.se 127.0.0.1
- : root : ALL
+ : ALL : ALL
(the last entry seems to be redundant, according to the notes).

Add to: /etc/pam.d/sshd
account    required     pam_access.so

Then, as long as sshd is using PAM, it seems to work as desired!

What IS rather strange is how the .ets.kth.se was needed, else
no login was allowed for root. It seems (as was threatened for 
sshd too in some web-based manual) that IF the address was 
resolved to a name, then the name is used (the -u option to sshd
allows a length of name beyond which the address will be used 
instead, so -u0 allows always addresses).  This strikes me as 
pretty silly, confusing the two.  Likewise, the description of 
the access.conf file is that usernames and groupnames are confused,
with groups being checked if no username matches the one in the
list.