diff --git a/pam-config.changes b/pam-config.changes
index d43078f..959dbcf 100644
--- a/pam-config.changes
+++ b/pam-config.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue Aug 14 13:02:09 UTC 2012 - vcizek@suse.com
+
+- make pam_ssh a sufficient auth module (bnc#730851)
+
 -------------------------------------------------------------------
 Tue Aug  7 13:07:26 CEST 2012 - kukuk@suse.de
 
diff --git a/pam-config.spec b/pam-config.spec
index 9df0b2a..f17cd80 100644
--- a/pam-config.spec
+++ b/pam-config.spec
@@ -26,6 +26,7 @@ BuildRequires:  automake
 PreReq:         pam >= 0.99
 Requires:       pam-modules >= 10.2
 Source:         %{name}-%{version}.tar.bz2
+Patch:          pam_config-0.81-pam_ssh.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -39,6 +40,7 @@ add/adjust/remove other PAM modules and their options.
 
 %prep
 %setup -q
+%patch
 
 %build
 %configure
diff --git a/pam_config-0.81-pam_ssh.patch b/pam_config-0.81-pam_ssh.patch
new file mode 100644
index 0000000..a53d614
--- /dev/null
+++ b/pam_config-0.81-pam_ssh.patch
@@ -0,0 +1,28 @@
+Index: src/mod_pam_ssh.c
+===================================================================
+--- src/mod_pam_ssh.c	2012-08-06 16:39:19.000000000 +0200
++++ src/mod_pam_ssh.c	2012-08-14 14:52:14.649970973 +0200
+@@ -44,7 +44,7 @@ write_config_ssh (pam_module_t *this, en
+       break;
+ 
+     case AUTH:
+-      fprintf (fp, "auth\toptional\tpam_ssh.so\ttry_first_pass ");
++      fprintf (fp, "auth\tsufficient\tpam_ssh.so\ttry_first_pass ");
+       break;
+ 
+     case SESSION:
+Index: src/supported-modules.h
+===================================================================
+--- src/supported-modules.h	2012-08-06 16:59:11.000000000 +0200
++++ src/supported-modules.h	2012-08-14 14:55:27.022709610 +0200
+@@ -100,8 +100,8 @@ static pam_module_t *module_list_auth[]
+   &mod_pam_fprint,
+   &mod_pam_fprintd,
+   &mod_pam_thinkfinger,
+-  &mod_pam_gnome_keyring,
+-  &mod_pam_ssh,     /* optional modules MUST executed before sufficient modules which also need a password. */
++  &mod_pam_gnome_keyring, /* optional modules MUST be executed before sufficient modules which also need a password. */
++  &mod_pam_ssh,
+   &mod_pam_unix2,
+   &mod_pam_unix,
+   &mod_pam_ecryptfs,