separate group "ssh" for incoming ssh console permission

Thanks to @madaidan

https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16

debian/security-misc.postinst

@@ -34,6 +34,7 @@ addgroup --system sysfs
 addgroup --system cpuinfo
 addgroup --system console
 addgroup --system console-unrestricted
+addgroup --system ssh
 
 addgroup root console
 

etc/security/access-security-misc.conf

@@ -20,6 +20,9 @@
 ## Qubes uses 'hvc0' when using in dom0 "sudo xl console vm-name".
 +:console:tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9
 
+## Allow members of group 'ssh' to login.
++:ssh:ALL EXCEPT LOCAL
+
 ## Everyone else except members of group 'console-unrestricted'
 ## are restricted from everything else.
 -:ALL EXCEPT console-unrestricted :ALL