Thanks. Too bad it's hard coded (I actually was afraid of that). Seems an overreaction to the "username starting with a '+' or '-'" to totally restrict it to a letter - but I'm not a pam developer.
I checked my logs, the tcb package I have was installed in June, but it wasn't until I updated in late September that a pam update changed the system-auth file to use the pam_tcb module.
Yes, I've spent that long looking for a solution before asking here, since I ran into the same problem in Mandrake something like 2-3 years ago, and I just worked around it by changing my login while pointing to the same home directory. But when it hit PCLOS, I figured I'd better find the source of the change before I update something on my servers and my remote access scripts started blowing up.
At least now I know the source of the problem and can switch back to pam_unix, although I'll have to remember to do that after each pam update, since I'm sure it will keep changing the system-auth file. Now I can watch the updates to my servers for a similar update.