ros, I wonder if pub-key-authentication for sshd is not really 'parsing' or 'processing' the account info from /etc/passwd. I really don't have much detail on this, but I can tell you from experience that if you have users who login to *NIX with an RSA SecurID Token, you have to change their default shell to something like /usr/bin/securid (or whatever the bin/link is to the RSA authentication agent software). Their actual system shell is then stored in their user record in the Auth server db.

Just some food for thought.