[CentOS] pam_access.so restrictions not working - syntax errors?

Fri Mar 20 13:49:28 UTC 2009
Dirk H. Schulz <dirk.schulz at kinzesberg.de>

Hi folks,

I want to restrict root access via ssh to certain (internal) hosts.

That is what pam_access.so is for, I thought, so I configured:

in /etc/security/access.conf I added (nothing in there before):
+ : root :
- : root : ALL

in /etc/pam.d/ssh I added at the end:
account required pam_access.so

Then I restarted the ssh server.

Basically, this kinda works. Cron suddenly had no right to do it's  
job, so I had to add
+ : root : LOCAL
to /etc/security/access.conf

But there still is no restriction on ssh logins by root - I can still  
login from anywhere.

Next I tried putting it in one line in /etc/security/access.conf:
That did not change anything, still I can log in via ssh.

I am stuck. According to documentation and the examples on the net  
this should be the right syntax. And, by the way, in my /etc/ssh/ 
sshd_config I have "UsePAM yes".

Any help or hint is appreciated.