A followup observation: the problem I was having with password authentication goes away if I enable shadow passwords. Perhaps the sshd password checking routine assumes that shadow passwords are always on? Phil