How can one allow or deny an ssh login for a specific user(s) or group(s) on an sshd server?

Update the sshd config

To deny a user ssh login, add this to the end of your sshd config file (/etc/ssh/sshd_config in Linux/Unix/BSD):

DenyUsers theusername

For groups:

DenyGroups thegroupname

Restart the sshd service

Then restart the sshd service. The following works on Ubuntu 18.04:

systemctl restart sshd

More details

One can add a space-separated list of user or group names, respectively.

The AllowUsers and AllowGroups directives do the opposite.

Excerpt from the sshd_config man page:

DenyGroups

This keyword can be followed by a list of group name patterns, separated by spaces. Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

DenyUsers

This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

See PATTERNS in ssh_config(5) for more information on patterns.

Another way to do it is by using access.conf.

First, you need to enable pam_access in /etc/pam.d/sshd by adding the following line:

required pam_access.so

Then you can edit /etc/security/access.conf, and remove access to the required user(s)/group(s) by adding the following line for each one:

-:<user or group>:ALL