SSH and PAM?

[<dschaible balmar com>]

greetings!

I asked the list a while ago about setting up user public key
authentication with ssh.  I think I have more info on my problem.

On my client machine, I generated id_dsa and id_dsa.pub files.  
id_dsa is in my ~/.ssh directory.

id_dsa.pub was sent to the host machine it resides in ~/.ssh as well.
I created ~/.ssh/authorized_keys2 that has just the key in one line.

here is the output of ssh -l user -v server.domain.com :

[user@client .ssh]$ ssh -v -l user server.domain.com
SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).
debug: Reading configuration data /etc/ssh/ssh_config
debug: Applying options for *
debug: Seeding random number generator
debug: ssh_connect: getuid 501 geteuid 0 anon 0
debug: Connecting to server.domain.com [192.168.1.100] port 22.
debug: Allocated local port 1023.
debug: Connection established.
debug: Remote protocol version 1.99, remote software version OpenSSH_2.1.1
Enabling compatibility mode for protocol 2.0
debug: Local version string SSH-2.0-OpenSSH_2.1.1
debug: Seeding random number generator
debug: send KEXINIT
debug: done
debug: wait KEXINIT
debug: got kexinit: diffie-hellman-group1-sha1
debug: got kexinit: ssh-dss
debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc
debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc
debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160@openssh.com
debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160@openssh.com
debug: got kexinit: zlib,none
debug: got kexinit: zlib,none
debug: got kexinit: 
debug: got kexinit: 
debug: first kex follow: 0 
debug: reserved: 0 
debug: done
debug: kex: server->client 3des-cbc hmac-sha1 none
debug: kex: client->server 3des-cbc hmac-sha1 none
debug: Sending SSH2_MSG_KEXDH_INIT.
debug: bits set: 503/1024
debug: Wait SSH2_MSG_KEXDH_REPLY.
debug: Got SSH2_MSG_KEXDH_REPLY.
debug: keytype ssh-dss
debug: keytype ssh-dss
debug: keytype ssh-dss
debug: Host 'server.domain.com' is known and matches the DSA host key.
debug: bits set: 524/1024
debug: len 55 datafellows 0
debug: dsa_verify: signature correct
debug: Wait SSH2_MSG_NEWKEYS.
debug: GOT SSH2_MSG_NEWKEYS.
debug: send SSH2_MSG_NEWKEYS.
debug: done: send SSH2_MSG_NEWKEYS.
debug: done: KEX2.
debug: send SSH2_MSG_SERVICE_REQUEST
debug: service_accept: ssh-userauth
debug: got SSH2_MSG_SERVICE_ACCEPT
debug: authentications that can continue: publickey,password
debug: try pubkey: /home/user/.ssh/id_dsa
debug: read DSA private key done
debug: sig size 20 20
debug: ssh-userauth2 successfull
debug: no set_nonblock for tty fd 4
debug: no set_nonblock for tty fd 5
debug: no set_nonblock for tty fd 6
debug: channel 0: new [client-session]
debug: send channel open 0
debug: Entering interactive session.
debug: callback start
debug: client_init id 0 arg 0
debug: Requesting X11 forwarding with authentication spoofing.
debug: channel request 0: shell
debug: client_set_session_ident: id 0
debug: callback done
debug: channel 0: open confirm rwindow 0 rmax 32768
Connection to server.domain.com closed by remote host.
Connection to server.domain.com closed.
debug: Transferred: stdin 0, stdout 0, stderr 91 bytes in 0.2 seconds
debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 576.9
debug: Exit status -1
[user@client .ssh]$ 

ok.  It appears that the keys were accepted right?  But then I got
disconnected right away.  adding a bad character to user@server's
authorized_keys2 file results in ssh asking me for a password.

Since I was not asked for the password, I am guessing the keys worked.  

So I find this in server's /var/log/messages:

Mar 30 10:21:00 server sshd[31024]: Accepted publickey for user from
192.168.1.50 port 1023 ssh2
Mar 30 10:21:00 server PAM_unix[31024]: (system-auth) session opened for
user user by (uid=0)
Mar 30 10:21:00 server sshd[31024]: fatal: PAM setcred failed: Authentication
service cannot retrieve user credentials
Mar 30 10:21:00 server PAM_unix[31024]: (system-auth) session closed for
user user

So, I'm wondering if I need to do something for PAM?  Here is my
/etc/pam.d/sshd file:

[root@server .ssh]# less /etc/pam.d/sshd 
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so
/etc/pam.d/sshd (END) 


Please help! any info at all is more than welcome!
both client and server are running RH 7 with the default install of
open-ssh. (fresh installs at that!)