The PAM authentication plugin's conversation function may be throwing away some information that may be useful for diagnostic purposes because it does not seem to log messages of the following types:
Display an error message.
Display some text.
I think it might always make sense to log messages of the type PAM_ERROR_MSG.
Maybe it could be optional to log messages of the type PAM_TEXT_INFO. Would it make sense to base that on log_warnings? Or maybe on another new system variable defined by the plugin? Like pam_log_text_info or something?