so here's the problem I've discovered http://xenoterracide.blogspot.com/2009/11/bypassing-disabled-accounts-with-k... < links to arch bug included posting here because I believe both kde's and arch's developers responses are less than satisfactory. This is a security bug an easy to fix without making users lives more difficult. so I'm starting with /etc/pam.d/login auth required pam_shells.so #add this: why let someone login who has an invalid shells. /etc/pam.d/kdm # I'm pretty sure it should be 99% the same as login since it allows logins. #%PAM-1.0 auth requisite pam_nologin.so auth required pam_unix.so nullok auth required pam_shells.so # as my blog says setting an invalid shell is a common way of disabling accounts. auth required pam_tally.so onerr=succeed file=/var/log/faillog # use this to lockout accounts for 10 minutes after 3 failed attempts #auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/ account required pam_access.so account required pam_time.so account required pam_unix.so password required pam_unix.so #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 ret #password required pam_unix.so md5 shadow use_authtok session required pam_unix.so session required pam_env.so session required pam_limits.so also I believe pam_tally2 replaces pam_tally may wish to consider migrating (non urgent next release?) -- Caleb Cushing http://xenoterracide.blogspot.com