Comment 1 for bug 82740

According to the documentation athttp://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/mwg-see-options.html

  The module should not prompt the user for a password. Instead, it should obtain the previously typed password (by a call to pam_get_item() for the PAM_AUTHTOK item), and use that. If that doesn't work, then the user will not be authenticated. (This option is intended for auth and passwd modules only).

try_first_pass seems to be deprecated as a generic optional argument.

This appears to be working as designed. You may want to talk with the PAM developers upstream to change the specification.

Thanks for your report!