Why is sshd engaging PAM still?

Solution 1:

GSSAPI authentication is not handled by PAM. The PAM module for kerberos is used for password authentication of a user, using the kerberos protocol to obtain a valid ticket.

There are 3 outcomes of the GSSAPI authentication.

1. Authentication failed because credentials were sent but the credentials were invalid.
2. Authentication succeeded using the credentials presented.
3. Authentication is ignored because no credentials were supplied.

If the outcome is 1, the request is denied outright as a token was sent but failed. SSHD does not attempt other authentication methods.

If the outcome is 3, sshd will next attempt other authentication methods, which includes the PAM auth section.

I am not familiar with pam_radius but I assume it requests an authentication token regardless of whether or not the user exists for security reasons. Having it fail immediately indicates to a user/attacker that such a user does not exist, so from a process of elimination you could enumerate users.

As for the "requisite" option, in the stack setup given "required" and "requisite" have the same affect. pam_krb can not request a ticket without a valid user anyway so it would end up failing immediately.

For the config given pam_unix is not used for authentication but authorization, this is a step that occurs after authentication. To clarify; authentication deals with proving you are who you say you are, whilst authorization deals with you having correct permissions to do what you want to do (which in this case is login).