diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index 19014ead2..c4684ec22 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -431,7 +431,8 @@ function local_user_set(&$user)
     }
 
     /* unlock valid shell users */
-    if (!is_account_disabled($user_name) && !is_account_expired($user_name)) {
+    if (!is_account_disabled($user_name) && !is_account_expired($user_name)
+      && !empty($config['system']['disableintegratedauth'])) {
         $lock_account = 'unlock';
     }
 
diff --git a/src/opnsense/service/templates/OPNsense/Auth/sshd.pam b/src/opnsense/service/templates/OPNsense/Auth/sshd.pam
index e7b7a1578..e58925029 100644
--- a/src/opnsense/service/templates/OPNsense/Auth/sshd.pam
+++ b/src/opnsense/service/templates/OPNsense/Auth/sshd.pam
@@ -9,16 +9,18 @@ auth		sufficient	pam_opie.so		no_warn no_fake_prompts
 auth		requisite	pam_opieaccess.so	no_warn allow_local
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
-{% if system.disableintegratedauth|default('0') == '1' %}
-auth		required	pam_unix.so		no_warn try_first_pass
-{% else %}
-auth		required	pam_opnsense.so
+{% if system.disableintegratedauth|default('0') == '0' %}
+auth		sufficient	pam_opnsense.so
 {% endif %}
+auth		required	pam_unix.so		no_warn try_first_pass
 
 # account
 account		required	pam_nologin.so
 #account	required	pam_krb5.so
 account		required	pam_login_access.so
+{% if system.disableintegratedauth|default('0') == '0' %}
+account		sufficient	pam_opnsense.so
+{% endif %}
 account		required	pam_unix.so
 
 # session