Which pam module consults /etc/security/access.conf?  I have a deny clause in it but it doesn't seem to work.

In /var/log/secure, I see a

<hostname> sshd[1879]: pam_sss(sshd:auth): authentication success...
<hostname> sshd[1879]: Accepted password for ...
<hostname> sshd[1879]: pam_unix(sshd:session): session opened for user ...