Authentication with PAM

[JCA]

When OpenSSH is built with PAM support, on getting an authentication
request the OpenSSH daemon will invoke PAM functions, as instructed in the
/etc/pam.d/sshd file.

At what point(s) before the authentication stage is concluded does the
daemon invoke such functions? What are the criteria that have been adopted
to select when to start interacting with PAM? I am pretty sure that, for
example, the validity of the username is tested before PAM gets at all
involved, right?