pam_setcred() failure for applications not using PAM for authentication in RHEL5

Issue

The customer is using Tectia ssh  with PKI certificates to establish a passwordless ssh connection to Red Hat Enterprise Linux servers. Access is granted based on a users PKI certificate validity. The usual PAM authentication modules (like pam_unix, pam_ldap, pam_kerberos) are not used. The sshd2 pam configuration looks like this:

auth        required      pam_tally2.so deny=5 unlock_time=1800
auth        required      pam_env.so
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_access.so accessfile=/etc/ldf/netgroupaccess.conf

account     required      pam_tally2.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

session     optional      pam_keyinit.so revoke
session     required      pam_mkhomedir.so
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

A problem was encountered when the pam module PAM_TALLY2 was removed from this stack. On investigation the Tectia PAM session error was focused on pam_setcred returning PAM_PERM_DENIED.

This problem can affect any application that does not really use PAM for authentication.