/etc/pam.conf
I think there should be a secure(ish) blank pam.conf file somewhere in the distribution. In case the sys-admin mangles theirs. If it is not too long it could be given here, otherwise we can just point to it.