Hi. I'm not really swapped in on Debian this weekend; dealing with a transition for day job.
But quick thoughts. I'm surprised that systemd-home is a pam auth module. That is, I wouldn't expect systemd-home to be able to decide whether you have presented valid credentials to log in. It may be that it has an account entry point, but it's auth entry point is trivial. pam-auth-update assumes that you don't want to reenter a password. So, it assumes the first module in the stack will take a password and then we will reuse that. Similarly for password, you don't want to for example change the ldap and local passwords to different values. compare the auth vs auth-initial password vs password-initial lines in /usr/share/pam-configs/unix. Will systemd-home work with an auth-type of additional rather than primary?
