Update..

roles/common/templates/etc/ssh/sshd_config.j2

@@ -186,7 +186,7 @@ AllowUsers {{ fact_sshd_allowed_users }}
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
+UsePAM {{ sshd_use_pam }}
 
 # Specifies whether login(1) is used for interactive login sessions.
 # Note that login(1) is never used for remote command execution.