OpenPAM has some very strange behavior for chauthtok since 2007 and I just hit that. Why… would you just completely change the semantics of sufficient for the preliminary check thing?! This literally only seems to accomplish one thing: breaking password changes for additional password sources (that are not the last one).