Hi.Regarding the Debian bug you reported ("pam_session not run as root"): as part of the PAM rewrite in OpenSSH upstream (between 3.6.1p2 and 3.7p1), do_pam_session is now called just before privilege is dropped permanently.
-- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.