Restrict ssh access to memebers of group ssh_login

core/default/etc/ssh/sshd_config.d/AccessRestriction.conf

@@ -0,0 +1,10 @@
+# Allows user 'root' to use ssh always.
+# This should prevent lockout because access is allowed without group membership.
+#    For details see: https://serverfault.com/questions/617081/how-to-use-both-allowgroups-and-allowusers-in-sshd-config 
+AllowUsers root
+# 1. Create custom group 'ssh_login' of type system if not exist:
+#    - addgroup --system "ssh_login"
+# 2. Additionally allow users of group 'ssh_login' to use ssh only:
+#    - adduser "${USER}" "ssh_login"
+Match group ssh_login
+    AllowUsers *