PAM configuration to allow passwords from both Unix and Kerberos

[Matt Mullins]

For my systems, the canonical source of authentication information is
a Kerberos server, but I also want to support old-fashioned Unix
passwords for a handful of users (including myself) just in case the
Kerberos system is unreachable.  I'm having a bit of trouble adjusting
to the semantics of FreeBSD's PAM configuration, it seems.  The
following is what I have tried in /etc/pam.d/sshd:

auth optional   pam_deny.so
auth sufficient pam_unix.so no_warn try_first_pass
auth sufficient pam_krb5.so no_warn try_first_pass

This does what I want: tries Unix authentication, and for most users,
then goes and tries Kerberos authentication.  However, it also seems
to allow access if the module does something other than success or
failure: I hit ^D at the SSH password prompt and it grants me access!
Adding "debug" to these lines doesn't seem to get anything additional
logged, so I'm actually not sure why PAM ends up with a success code
somewhere.

I flipped this logic around and did:

auth sufficient pam_unix.so no_warn
auth sufficient pam_krb5.so no_warn try_first_pass
auth required   pam_deny.so

This does exactly what I want for services like sudo, that just use
pam_authenticate(), but since "sufficient" is equivalent to "optional"
in pam_setcred(), sshd fails all authentications with:
Dec  9 15:05:18 boron-shell sshd[66617]: fatal: PAM: pam_setcred():
failed to retrieve user credentials

I am completely stumped how to get this behavior working for both
pam_authenticate and pam_setcred calls.  Can someone enlighten me what
a more normal way to do this would be?
--
Matt Mullins