Why OpenSSH's UsePAM only works with password or challenge/response?

[Jeremie Le Hen <jeremie%le-hen.org@localhost>]

Hi,

I'm not sure it's the right list to send this.  Please redirect me if
needed.

In the sshd_config(5) manpage, one can find:

% UsePAM  Enables the Pluggable Authentication Module interface.  If set to
%         ``yes'' this will enable PAM authentication using
%         ChallengeResponseAuthentication and PasswordAuthentication in
%         addition to PAM account and session module processing for all
%         authentication types.
%
%         Because PAM challenge-response authentication usually serves an
%         equivalent role to password authentication, you should disable
%         either PasswordAuthentication or ChallengeResponseAuthentication.

I don't understand the logic of this.  I mean, I see PAM
authentification as a method in itself.  I don't understand why it needs
either ChallengeResponseAuthentication or PasswordAuthentication.
I think I miss something, a clarification would be welcome.

For instance, I've tried the following configuration in pam.d/sshd with
OpenSSH 4.4:
% auth            required        pam_nologin.so  no_warn
% auth            required        pam_skey.so

In sshd_config(5):
% PasswordAuthentication no
% ChallengeResponseAuthentication yes
% UsePam yes

And I get the following prompt:
% jarjarbinks:tataz$ ssh ...
% Password [ otp-md5 98 pwnd1234 ]:     <- pam_skey
% otp-md5 98 pwnd1234
% S/Key Password:                       <- OpenSSH

If I disable ChallengeResponseAuthentication, PAM isn't used anymore as
stated in the manpage.  Why?  How can I get only pam_skey's prompt,
without password authentication disabled?

Thank you.
Best regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >