Access to Linux machines can be controlled through PAM's access module.

Enable the access module by making it required in /etc/pam.d/common-account:

account required

Now configure /etc/security/access.conf. The file format is:

(+|-) : <user or group> : <machines allowed to connect>

Typically, to restrict access to a single user via SSH and root from the console only, the file will look like:

+ : jsmith : ALL
- : ALL : ALL

Note the last line, which denys all other users access from all locations.

Changes take effect immediately.

To allow su-ing to and cronjobs to be run by a non-login user, allow that user from LOCAL:

+ : dummyuser : LOCAL

This is important; if you don't allow your cron users LOCAL access, their cronjobs will fail silently.