When setting up a PAM config for ssh that can authenticate from more
than one source (like, local passwd/shadow flatfile and say, an LDAP
server), only the first will actually work. If any other modules, of any
kind, are called after the first auth module that actually accepts a
password, a PAM_PERM_DENIED error is returned. It works OK if I qualify
the first auth module with 'sufficient' or use the [] syntax to specify
'success=done', but otherwise it doesn't work at all. The same
configuration works fine with login, vsftpd, and other services.