A little troubleshooting last night with a Citadel user running Gentoo revealed that our PAM configuration file was a little less than portable:
#%PAM-1.0 # auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth After a little bit of experimentation, I've changed the default to: #%PAM-1.0 # auth include system-auth account include system-auth session include system-auth This appears to be portable, although I haven't yet found any relevant documentation in LSB that says how to do this stuff. It appears to be valid on even older RedHat-ish systems, along with current Ubuntu and Gentoo. If anyone could shed some light on whether "include system-auth" is either a de jure standard or at least widely portable, I'd appreciate the insight.