This is the default Debian pam.d/common-auth file, if you don't put the pam_steal.so in the right place you either get nothing or (null) logged out. I found this position worked.

here are the per-package modules (the "Primary" block)

auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

auth required pam_steal.so

here's the fallback if no module succeeds

auth requisite pam_deny.so

prime the stack with a positive return value if there isn't one already;

this avoids us returning an error just because nothing sets a success code

since the modules above will each just jump around

auth required pam_permit.so

and here are more per-package modules (the "Additional" block)

auth optional pam_cap.so

end of pam-auth-update config