CentOS - Dec 2010 - pam_time.so and /etc/security/time.conf

I am investigating how to limit user logins via sshd to specific
times of day. I have the basic syntax but what I want to know is how
does pam_time.so process time.conf.

Say I have a clutch of users  that should login between 07:00 and
18:00 Monday to Friday.  I infer that the following will handle
that:

sshd;*;*,Wk0700-1800

However, what is not clear to me is how does one permit certain
userids additional login periods while handling the majority of
users as above. Say user01 should also be allowed to logon during
Saturday mornings Sa0800-1200 and early evenings the rest of the
week wk1830-2100 Do I do this?

sshd:*;user01;AL1830-2100&Wk0700-1800&Sa0800-1200
sshd:*:*:Al1830-2100

or will this work?

sshd:*:user01:Sa0800-1200
sshd:*:user01:Wk1830-2100
sshd:*:*:Al0700-1800

or will this?

sshd:*:*:Al0700-1800
sshd:*:user01:Wk1830-2100
sshd:*:user01:Sa0800-1200

What I am trying to understand is whether the first result
encountered, either success or failure, is what is applied to a
given login attempt.  Or, does the stack progress until success or
it ends in which case it fails?

Recasting my question: Is it meaningful to have multiple entries for
a singe userid, whether explicitly given or as part of a wildcard,
contained in time.conf?

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

I have done a bit of experimenting and I am confused respecting the
evident behaviour of this module.

If I do this:

sshd;*;*;Wk0700-1500

Then all user ids fail to log in (at the present time).  However, if
I add this:

sshd;*;user01;Al0000-24000
sshd:*:*:Wk0700-1500

Then I get the same result for user01. If I do this instead:

sshd:*:*:Wk0700-1500
sshd;*;user01;Al0000-24000

Then I also get the same result for user01; Forced disconnection.

The inference I draw is that the time.conf file is processed until
either a failure or the end of the file is encountered, which then
counts as a success. Is this right?  The manual pages and examples
give no hint that this is what happens.  They state in fact that
sshd;*;user01;Al0000-24000 should always let user01 login. And that
clearly does not happen.

Is there something that I am doing wrong here?



-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3