We have SEAS pointing to an LDAP for authentication. When a user account fails to authenticate via SSH public/private key, the logs show
that failure in 'error' mode, but that line does not contain the user
account that failed to log in. We can only see the error when the logging is set to 'debug,' and then the username is approximately 2
lines above the key failure error.
In the attached log sample you can see this - line 2832 is the key failure in ERROR level; line 2830 has the user ID associated with that
authentication failure and that is in the DEBUG level.
To troubleshoot the key failures we see, we have to set the logs in debug mode, and with that level of information the logs roll over every minute or so, giving us limited visibility time-wise. Ideally, the username would be added to the ERROR-level message.