ssh 4.6p1 defaults to having challenge_response_authentication and kbd_interaction_authentication to off. The shipped config file does not set either option by default. This means that PAM is disabled by default. A KbdInteractiveAuthentication yes or ChallengeResponseAuthentication yes is needed to enable PAM based authentication.
Changing PasswordAuthentication enables non-PAM based password authentication. Doing this while UsePAM is set to yes ends up disabling checks for locked accounts and shadow-based expiry, as well as ignoring any sort of pam config you might have setup. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]