Under CentOS5, I used this configuration to restrict access to root only:
# cat /etc/security/access.conf
- : root : ALL
- : ALL : ALL
# cat /etc/pam.d/system-auth-ac ... account required pam_access.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so ... #
Figured it out by reverse-engineering the changes made by system-config-authentication.
In addition to system-auth-ac, as a minimum, password-auth-ac needs the same update. To make it complete, fingerprint-auth-ac and smartcard-auth-ac need the additional line, too (not that they matter on the server hw here).
The state of PAM access is also recorded in /etc/sysconfig/authconfig (USEPAMACCESS=yes/no), but this seems to serve as a reminder for system-config-authentication more than actual system services configuration.