Access to Linux machines can be controlled through PAM's access module.
Enable the access module by making it required in /etc/pam.d/common-account:
... account required pam_access.so
Now configure /etc/security/access.conf. The file format is:
(+|-) : <user or group> : <machines allowed to connect>
Typically, to restrict access to a single user via SSH and root from the console only, the file will look like:
+ : ROOT : LOCAL + : jsmith : ALL - : ALL : ALL
Note the last line, which denys all other users access from all locations.
Changes take effect immediately.
To allow su-ing to and cronjobs to be run by a non-login user, allow that user from LOCAL:
+ : dummyuser : LOCAL
This is important; if you don't allow your cron users LOCAL access, their cronjobs will fail silently.