I'll freely confess that I don't understand pam.  How do I turn off ssh 
access via a password?  I have 

	PasswordAuthentication no

in sshd_config, but PAM is overriding that.  /etc/pam.d/sshd has 
several lines that reference passwords; it isn't at all clear to me if 
I have to change them all or not.  (What I've done for now is turn of 
PAM in sshd_config.)  I'm particularly confused by the 'auth' versus 
'password' entries -- the PAM documentation says that the password 
lines are for password changing and the like, but I know of no way to 
use ssh to change a password, so why is it there?  What are the 
implications of pam_krb5 if I don't have Kerberos?

More generally, sshd has many authorization control mechanisms of its 
own.  How do these interact with PAM?  The sshd_config file needs to be 
changed so that parameters ignored if PAM is in use (such as the 
aforementioned PasswordAuthentication line) are clearly separated from 
those that still have power to authenticate a user.  Other services may 
have similar issues.  For example, I note that there is a pam_ftpusers 
module that checks against /etc/ftpusers, but there doesn't seem to be 
anything that checks against /etc/shells.  

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb