I've gotten several Debian bug reports that pam_nologin should be an account module so it works better with ssh. The problem is that if you have RSA outh or Kerberos auth with ssh, the pam_authenticate call is is skipped, so if pam_nologin is in the auth stack, then it will be ignored. Clearly making pam_nologin be an account module is wrong because doing so would cause it to wait until after the password is entered for login applications. What about allowing pam_nologin to be both an account and auth module? Would this be acceptable? --Sam
