Sorry for not responding more quickly. I don't have a use case at present, so probably not. Adding capabilities to NSS solved the problem I was having (if PAM authenticates a user that NSS returns ENOENT, OpenSSH refuses to permit login). I'm not opposed to it, though, and I'd be interested to hear what needs you might have.