Thanks to two other SE posts (one on SO, one on SF), the answer lies in using advanced control syntax. The
auth required pam_unix.so try_first_pass nullok
# and sometime later
auth optional pam_ssh.so use_first_pass
should therefore become
auth [success=1 new_authtok_reqd=1 ignore=ignore default=ignore] pam_unix.so try_first_pass nullok
auth required pam_ssh.so use_first_pass
Now it is imperative that the pam_ssh line exactly precedes the pam_unix one, since success=N means to skip N following module(s).
Also, don't forget the session pam_ssh.so line while you're at it!
In my first attempt, I used
auth [success=1 default=ignore] pam_ssh.so try_first_pass
auth required pam_unix.so use_first_pass nullok
instead, but this method locks out all users without SSH keys! Turns out that default=ignore isn't sufficient, auth_err=ignore has to be added since that is apparently not considered part of default. Also, this attempt means there'll either be a "password" or "SSH passphrase" prompt depending on whether the user has an SSH key!
Note that in Arch Linux, the pam_unix line used by login lies in the include chain
login -> system-local-login -> system-login -> system-auth
and that system-login has some other required before including system-auth, so you cannot simply put auth [success=1 default=ignore] pam_ssh.so try_first_pass in before login's auth include system-local-login - you'd skip the wrong required and thanks to the pam_unix.so use_first_pass (instead of try_first_pass) you could still only login with your login password! On the other hand, by modifying system-auth, you're also allowing other services such as sshd to use your SSH key as authentication option to the login password. If you truly want only your login to use this, you have to pretty much break the include chain and manually copy all auths to login.
I found out my system (as most modern Linux) use PAM (Pluggable Authentication Modules) and pam_cracklib module within it. pam_cracklib enforces minimum length of 6 symbols regardless of parameters, so solution is to turn it off.
One link I've read discussed editing password-ac and system-ac files in /etc/pam.d, the contents of both files were same and no explanation was given of their respective roles.
Upon study of PAM docs (The Linux-PAM System Administrators' Guide | linux-pam.org), I learned PAM configs for LINUX services are in that /etc/pam.d directory in separate files. I saw passwd file and it in found only system-ac file mentioned (added by substack keyword), so on my system I needed to edit only system-ac.
Making pam_cracklib optional made no difference (I guess that's because pam_cracklib did not pass entered and rejected pasword to next module in stack - pam_unix) and commenting line with pam_cracklib lead to errors during passwd run. I noted that next line with ordinary pam_unix had option use_authtok (docs: enforce the module to set the new password to the one provided by a previously stacked module). After I deleted that option and commented line with pam_cracklib I now able to set short passwords with passwd.
Best Answer
You can specify per-user or per-group policies through the
pam_succeed_ifmodule. Use the “goto” action (i.e. an integer instead ofok,ignore, etc.) to skip over apasswordsetting for some users.(Warning: untested and I'm not fluent in PAM.)