I have a rule in place that goes like this; (Leading less-than's ommited)
The group attribute in the rule does not match directly to operating system groups, they match groups defined in the server configuration. Also, in order for this rule to take effect there needs to be a selector that places an incoming user into this rule.
For example, in order for your rule to apply to users from group foo, you would need something like this:
These need to be before the default rule (the one that does not define a group), since the first one to match will be used.
The user-group selector can match against both a group name or GID. Wildcards are also allowed.
For a more complete description of all the selectors that can be used within a group, see here: http://productdocs.ssh.com/support/documentation/online/ssh/adminguide/61/serverconfig-selectors.html
answered Aug 20 '10 at 13:27