man: document new pam_systemd features in man page

man: document new pam_systemd features in man page

This also updates the suggested PAM snippet in a number of way:

1. Be closer to the logic nowadays implemented in Fedora where the
   auth/account/password stacks are all finished off with
   pam_{deny|permit}.so

2. Make pam_unix.so just "sufficient" instead of "required" (paving
   ground for pam_systemd_home.so being hooked in as additional
   sufficient module.

3. Only do pam_nologin in the "account" stack, since it's about account
   validity really.

4. Use modern parameters to pam_unix when changing passwords, i.e.
   sha512 and shadow, and use already set up passwords (preparing ground
   for pam_systemd_home again)