diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index d078ed1e1bb..a30945cc923 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -17,6 +17,15 @@ let
         description = "Name of the PAM service.";
       };
 
+      unixAuth = mkOption {
+        default = true;
+        type = types.bool;
+        description = ''
+          Whether users can log in with passwords defined in
+          <filename>/etc/shadow</filename>.
+        '';
+      };
+
       rootOK = mkOption {
         default = false;
         type = types.bool;
@@ -154,7 +163,8 @@ let
               "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
           ${optionalString cfg.usbAuth
               "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
-          auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth
+          ${optionalString cfg.unixAuth
+              "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"}
           ${optionalString cfg.otpwAuth
               "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
           ${optionalString config.users.ldap.enable
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index d57eef860d2..c85c9307e3e 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -128,21 +128,10 @@ in
         '';
       };
 
-      usePAM = mkOption {
-        default = true;
-        description = ''
-          Specifies whether the OpenSSH daemon uses PAM to authenticate
-          login attempts.
-        '';
-      };
-
       passwordAuthentication = mkOption {
         default = true;
         description = ''
-          Specifies whether password authentication is allowed. Note
-          that setting this value to <literal>false</literal> is most
-          probably not going to have the desired effect unless
-          <literal>usePAM</literal> is disabled as well.
+          Specifies whether password authentication is allowed.
         '';
       };
 
@@ -284,7 +273,11 @@ in
 
     networking.firewall.allowedTCPPorts = cfg.ports;
 
-    security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; showMotd = true; };
+    security.pam.services.sshd =
+      { startSession = true;
+        showMotd = true;
+        unixAuth = cfg.passwordAuthentication;
+      };
 
     services.openssh.authorizedKeysFiles =
       [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ];
@@ -295,7 +288,7 @@ in
 
         Protocol 2
 
-        UsePAM ${if cfg.usePAM then "yes" else "no"}
+        UsePAM yes
 
         AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
         ${concatMapStrings (port: ''