The openssh 3.1p1_1 (portable) and openssh-3.1_3 ports do not examine /etc/login.conf for restrictions such as ttys.{allow,deny}, unless UseLogin is set on in /etc/ssh/sshd_config.  This directive has been exploited in the past, and is now turned off by default.

Fix: 

These lines from the native SSH session.c (/usr/src/crypto/openssh/session.c) seem to be the key!

#ifdef HAVE_LOGIN_CAP
        if (!auth_ttyok(lc, s->tty)) {
                (void)printf("Permission denied.\n");
                log(
               "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
                    pw->pw_name, get_remote_name_or_ip(utmp_len,
                        options.reverse_mapping_check), s->tty);
                exit(254);
        }
#endif /* HAVE_LOGIN_CAP */
How-To-Repeat: Set up a class with a tty restriction.  Created user in that class, and verified with "pw usershow <username> -P".  Installed "non-portable" (aka native) OpenSSH port. Killed existing sshd and started OpenSSH "/usr/local/sbin/sshd -f /etc/ssh/sshd_config".  Attempted SSH into box, and logged in successfully.  Rinse. Lather. Repeat with OpenSSH portable.  Finally, tried with "native" SSHD (no changes to /etc/ssh/sshd_config) and it worked.