Oh, I see it now. In openssh ./auth.c getpwnamallow(), if nss doesn't respond with a proper getpwnam for the user, it's considered an invalid user and bails out. This is a chicken and egg problem for the Himmelblau project. I can't fetch valid information about a user until after the user has authenticated, but ssh won't allow the authentication unless the nss information is valid.