Question : Problem: I would like to restrict root access over ssh to a specific subnet, but sshd seems to be ignoring my PAM settings

I was using the sshd option PermitRootLogin no to prevent root logins into my server.  But I now want to prevent root logins from all but a few subnets.  

I have changed the sshd settings as follows:
PermitRootLogin yes
UsePAM yes
ChallengeResponseAuthentication yes

I have added the following line to (I want to ensure that PAM is properly blocking root logins before trying to open up any subnets)
 /etc/security/access.conf
- : root : ALL

I have also added this line at ethe bottom of /etc/pam.d/sshd
account    required     pam_access.so

I restarted sshd and expected root logins to be regected, but they are not instead they are accepted with the following message in /var/log/secure

Oct 31 13:29:25 XHOST sshd[32675]: Accepted keyboard-interactive/pam for root from xxx.xxx.xxx.xxx port 37113 ssh2
Oct 31 13:29:25 XHOST  sshd[32675]: pam_unix(sshd:session): session opened for user root by (uid=0)


I have been following http://www.cyberciti.biz/tips/openssh-root-user-account-restriction-revisited.html as a guide but it doesn't seem to be working.

Answer : Problem: I would like to restrict root access over ssh to a specific subnet, but sshd seems to be ignoring my PAM settings

It seems, process name and the rest of parameters are ANDed, so this line works:

- : root : sshd ALL