I know this has come up before and I even saw a patch from Niklas Edmundsson for 2.1.1p2 (see http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=96316919430887&w=2 ) I had the (mis)fortune recently of realizing that if PAM is defined, /etc/nologin is not honored. session.c tells me that pam_nologin is supposed to take care of this, and that's nice, except that it's a Linux Thing. It doesn't exist on the platform I'm using (Solaris). I really don't like local hacks and I'm sure there are other Solaris people out there who aren't too happy about this situation... how can this be remedied (other than undefining PAM, of course)? And finally, thanks for the great software, developers. You make all our work that much more secure :-)