Bug#450655: ssh: Insuficient logging when user isn't on the allowed group

[Aristeu Rozanski <aris@ruivo.org>]

Package: ssh
Version: 1:3.8.1p1-8.sarge.6
Severity: normal

When ssh server is configured to only allow a certain group of users to
login:
	AllowGroups     ssh
any user trying to login will be logged with insufficient information:
	Nov  8 13:31:09 lobo sshd[31794]: User root not allowed because none of user's groups are listed in AllowGroups
	Nov  8 13:31:13 lobo sshd[31796]: User root not allowed because none of user's groups are listed in AllowGroups
	Nov  8 13:31:17 lobo sshd[31798]: User root not allowed because none of user's groups are listed in AllowGroups
	Nov  8 13:31:21 lobo sshd[31800]: User root not allowed because none of user's groups are listed in AllowGroups
this is a problem if you're using a tool such fail2ban, which can't
extract the ip address to ban it from accessing the ssh service. To fix
this, I had to switch the ssh server log level to VERBOSE:
	SyslogFacility AUTH
	LogLevel VERBOSE
Now I get something usable:
	Nov  8 14:09:51 lobo sshd[1185]: Connection from xx.xxx.xxx.xxx port 54850
	Nov  8 14:10:03 lobo sshd[1185]: User root not allowed because none of user's groups are listed in AllowGroups
	Nov  8 14:10:29 lobo sshd[1189]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxxxxxxxxxxxxxxxxx.com user=root
	Nov  8 14:10:31 lobo sshd[1185]: error: PAM: Authentication failure for illegal user root from xxxxxxxxxxxxxxxxxxx.com
	Nov  8 14:10:31 lobo sshd[1185]: Failed keyboard-interactive/pam for illegal user root from xx.xxx.xxx.xxx port 54850 ssh2
I'm attaching the sshd_config just in case
	Port 22
	Protocol 2
	HostKey /etc/ssh/ssh_host_rsa_key
	HostKey /etc/ssh/ssh_host_dsa_key
	UsePrivilegeSeparation yes
	KeyRegenerationInterval 3600
	ServerKeyBits 768
	SyslogFacility AUTH
	LogLevel VERBOSE
	LoginGraceTime 600
	PermitRootLogin no
	StrictModes yes
	RSAAuthentication yes
	PubkeyAuthentication yes
	IgnoreRhosts yes
	RhostsRSAAuthentication no
	HostbasedAuthentication no
	PermitEmptyPasswords no
	PasswordAuthentication no
	X11Forwarding no
	X11DisplayOffset 10
	PrintMotd no
	PrintLastLog yes
	KeepAlive yes
	Subsystem	sftp	/usr/lib/sftp-server
	AllowGroups	ssh
	UsePAM yes

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.27-2-386
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages ssh depends on:
ii  adduser               3.63               Add and remove users and groups
ii  debconf               1.4.30.13          Debian configuration management sy
ii  dpkg                  1.10.28            Package maintenance system for Deb
ii  libc6                 2.3.2.ds1-22sarge6 GNU C Library: Shared libraries an
ii  libpam-modules        0.76-22            Pluggable Authentication Modules f
ii  libpam-runtime        0.76-22            Runtime support for the PAM librar
ii  libpam0g              0.76-22            Pluggable Authentication Modules l
ii  libssl0.9.7           0.9.7e-3sarge5     SSL shared libraries
ii  libwrap0              7.6.dbs-8          Wietse Venema's TCP wrappers libra
ii  zlib1g                1:1.2.2-4.sarge.2  compression library - runtime

-- debconf information:
  ssh/insecure_rshd:
  ssh/ssh2_keys_merged:
  ssh/user_environment_tell:
* ssh/forward_warning:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/protocol2_only: true
  ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
* ssh/SUID_client: true
  ssh/disable_cr_auth: false