However, it doesn't seem to hit the module at all for password changes. I
also noticed the default line is like so:
sshd password required pam_permit.so
I would have expected a "pam_unix.so" there instead. Is the password
facility implemented in 4.x?
And since I know there's someone lurking here that knows this, is there
any way to have OpenSSH deny a login when a user has key-based auth setup
on their account? I never found a good way to take care of that; changing
the shell, etc. is a bit awkward.