I'd certainly expect pam to be used for all password validation. If that's not true please give me info on how to reproduce.
reproduce? As far as I can tell, it never uses pam unless you use the kbdint userauth mechanism..
Configure a system with a some non-pam_unix authentication mechanism (such as pam_krb5)
ssh -o preferredauthentications=password <hostname>
see standard prompt
enter password
watch it fail.
ssh -o preferredauthentications=keyboard-interactive <hostname> see custom prompt enter password watch it not-fail
It's fairly obvious, just looking at auth-passwd.c. There is no pam there.
Hmm. This looks like 242119 in the non-krb5 ssh packages (which I even followed up on at one point! it was a year ago though)
p7sxKGD32Vf1J.p7s
Description: S/MIME cryptographic signature
