This lab will work on any of your VMs. Follow these steps:

1. On the VM that you wish to configure, create user accounts for Frank, Charlie, and Maggie. On Ubuntu, do the following:

sudo adduser frank
. . .

On CentOS, do the following:

sudo useradd frank
sudo passwd frank
. . .

2. Create the webadmins group and add Frank to it:

sudo groupadd webadmins
sudo usermod -a -G webadmins frank

3. From either your host machine or from another VM, have the three users log in. Then, log them back out.

4. Open the /etc/ssh/sshd_config file in your favorite text editor. At the bottom of the file, add an AllowUsers line with your own username, like so:

AllowUsers donnie

5. Then, restart the SSH service and verify that it has started correctly:

For Ubuntu:
sudo systemctl restart ssh
sudo systemctl status ssh

For CentOS:
sudo systemctl restart sshd
sudo systemctl status sshd

6. Repeat step 3. This time, these three kitties shouldn't be able to log in. Open the /etc/ssh/sshd_config file in your text editor. This time, add an AllowGroups line to the bottom of the file for the webadmins group, like so:

AllowGroups webadmins

7. Restart the SSH service and verify that it started properly.

From either your host machine or another VM, have Frank try to log in. You'll see that even though he's a member of the webadmins group, he'll still be denied. That's because the AllowUsers line with your own username takes precedence.

8. Open sshd_config in your text editor and remove the AllowUsers line that you inserted in step 4. Restart the SSH service and verify that it started properly. 
9. Try to log into your own account, and then try to log into the accounts of all the other users. You should now see that Frank is the only one who is allowed to log in. The only way that any of the other users can now log into the VM is from the VM's local console.
10. Log into your own account at the VM's local console. Delete the AllowGroups line from sshd_config and restart the SSH service.

You've reached the end of the lab – congratulations!

You've just seen how to configure a whitelist on the daemon level, using the SSH daemon's own configuration file. Next, we'll look at configuring whitelists at the network level.