Well it turns out I'm actually an idiot, the `pam_exec.so` module is perfectly fine for creating PAM conditionals.

Tim Smith was correct in assessing that both tests in my `/etc/security/deny-ssh-user.sh` script were NEVER setting the variable `SSH_SESSION` to true. I didn't take that into consideration because the script works in a normal shell, but the envrionment context is stripped when executed by `pam_exec.so`.

I ended up rewriting the script to use the `last` utility just like his example, however i had to change some of it because the switches for `last` differ from Arch Linux to RedHat.

###Here is the revised script at /etc/security/deny-ssh-user.sh:

 #!/bin/bash
 # Returns 1 if the user is logged in through SSH
 # Returns 0 if the user is not logged in through SSH
 SSH_SESSION=false
 
 function isSshSession {
 local terminal="${1}"
 if $(/usr/bin/last -i | 
 /usr/bin/grep "${terminal}" |
 /usr/bin/grep 'still logged in' |
 /usr/bin/awk '{print $3}' |
 /usr/bin/grep -q --invert-match '0\.0\.0\.0'); then
 echo true
 else
 echo false
 fi
 }
 
 function stripTerminal {
 local terminal="${1}"
 
 # PAM_TTY is in the form /dev/pts/X
 # Last utility displays TTY in the form pts/x
 # Returns the first five characters stripped from TTY
 echo "${terminal:5}"
 }
 
 lastTerminal=$( stripTerminal "${PAM_TTY}")
 SSH_SESSION=$(isSshSession "${lastTerminal}")
 
 if "${SSH_SESSION}"; then
 exit 1
 else
 exit 0
 fi

###Contents of /etc/pam.d/sudo
 ....
 auth [success=ok default=1] pam_exec.so /etc/security/deny-ssh-user.sh
 auth sufficient pam_module_to_skip.so
 ....