I want to be able to allow a specific user to login from any host.

Currently I use the TCP WRAPPERS /etc/hosts.allow and deny to restrict access to my servers, but I have a problem whereby I want a roaming user to have access. I had thought that I could simply set up a user such as 'roaming_user' then allow that user on ALL hosts.
IE
ALL: roaming_user@ALL

Is such a syntax allowable, is it recommended, is there a better (more secure) way of doing it etc?

It is technically allowable if you respect the requirements and limitations. See "man 5 hosts_access" start at "One should not get carried away with username lookups" (which kinda sets the tone). As you can see from that lookups are unreliable and not trustworthy, as goes for tcp_wrappers in general wrt its susceptibility to spoofing.

If you want it to work for roaming users it depends on what type of access you need to provide them with. If it's just shell logins then forcing OpenSSH to only accept pubkey auth (no passwords) will do. If it's web-based services you could make it switch to only provide services over TLS/SSL (or wedge a stunnel in front of it, or use SSH's forwarding?). If you need to provide more than that you may need something like OpenVPN. It depends on what type of access you need to provide them with and your approach (lazily providing everything *and* the kitchensink or restricting access to only those who need it).
If you add details we'll probably be able to work out advice tailored to your specific setup.

OK - I want the user to be able to access a shell - so in effect an SSH connection.
Currently I have hosts.allow and deny resticting all access to the server to 'known' IPs, so I thought that would also stop a roaming user. If I get rid of the hosts allow/deny restrictions, them I'm just left with SSH password protection aren't I? I had that originally, but that led to loads of hacking attempts. Now, the hack attempts get blocked by the allow/deny rules.

See the sticky thread http://www.linuxquestions.org/questi...tempts-340366/