PAM sshd pam_nologin and pam_shells never get executed

[angenent]

Hi,

I'm a bit confused by the order in which the pam modules are executed in the /etc/pam.d/sshd file for the 'auth' module-type on my gentoo box. Here are the relevant contents of /etc/pam.d/sshd:

auth include system-auth
auth required pam_shells.so
auth required pam_nologin.so

Which, when /etc/pam.d/system-auth is included, translates to:
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so
auth required pam_shells.so
auth required pam_nologin.so

From my understanding of PAM, if unix authentication using the pam_unix module is successful, the 'sufficient' keyword tells PAM not to process the others down the list. Besides, if authentication has failed, pam_deny is executed, and it's irrelevant whether pam_shells and pam_nologin return success or failure.

Wouldn't it be better to have the pam_shells and pam_nologin modules execute before the pam_unix module?

Regards,
Will Angenent