pam.d/README says: Note that having a "sufficient" module as the last entry for a particular service and module type may result in surprising behaviour. To get the intended semantics, add a "required" entry listing the pam_deny module at the end of the chain.
But in fact auth sufficient pam_unix.so auth required pam_deny.so always fails, because (from the PAM article): The second exception is that pam_setcred(3) treats binding and sufficient modules as if they were required which means the final decision drops through to pam_deny even if pam_unix succeeds. Other than the obvious (make pam_unix, or whatever is the last module in the auth chain, required rather than sufficient, and leave out the required pam_deny) is there another solution to this? Jonathan _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"