So I wrote a script that replaces the ssh_config, sshd_config, sudoers, login.defs, pam.d/sshd, pam.d/system-auth; adds the groups - these will need to be changed in the script to match what you set in the files); and creates the ssh user account. The ssh user account doesn't have a password set, unless you use an existing account, so you will need to set one manually.
the run down...
sshuser is only used for ssh access to the server. This password has to meet a set of requirements and will expire in 90 days; all user accounts will expire in 90 days.
The goal was to have 1 account that is allowed to ssh and then be forced to su to their account. those that are joined to the admin group will have sudo access. Some sudo commands restricted to prevent users from getting to root. The list isn't exhausted.
Make changes where you see fit. Constructive feed back is welcomed.
[link][18 comments]