So the Pam upgrade wasn't too bad. I updated one box, restarted services, and rebooted to ensure that everything is working correctly. All you really need to do is update some of the files in pam.d.
grep pam_stack.so *
When I did this, I also saw rexec, rlogin and rsh. I basically looked for service=system-auth and replaced it with the new format:
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
When you've changed your configs, emerge or re-emerge pam, and you should be good to go. Remember to restart pam related services (ie: ssh). I'll be slowly pushing towards other boxes with additional services (ie: ftp, mail, etc) and will be sure to report if I had any trouble.
Make sure you restart vixie-cron after you do the pam upgrade. If you see logs like this, make sure you restart that service. I didn't catch it immediately since I get my logs via cron.
Oct 27 09:00:01 comp cron: PAM unable to dlopen(/lib/security/pam_unix.so)
Oct 27 09:00:01 comp cron: PAM [dlerror: /lib/security/pam_unix.so: symbol pam_modutil_getlogin, version LIBPAM_MODUTIL_1.0 not defined in file libpam.so.0 with link time reference]
Oct 27 09:00:01 comp cron: PAM adding faulty module: /lib/security/pam_unix.so
Oct 27 09:00:01 comp cron: PAM unable to dlopen(/lib/security/pam_limits.so)