The PAM config file for rlogin specifies the rhosts_auth module at the top of the auth stack, with
key "sufficient".  This causes other modules further down the auth stack to be ignored when the
rhosts_auth module reports success; in particular the securetty and nologin modules are
skipped in that case.  The PAM documentation on the nologin module discusses this issue.
That the securetty module can be circumvented is the largest security issue here, but that nologin
can be ignored is the most clear bug (one could argue that skipping the securetty module is the
desired behavior, although I would dissent).

An improved PAM rlogin config file might look like this:

#%PAM-1.0
auth       required     /lib/security/pam_nologin.so
auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_rhosts_auth.so
auth       required     /lib/security/pam_pwdb.so shadow nullok
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
session    required     /lib/security/pam_pwdb.so

The pwdb module must come after the rhosts_auth module for rhosts authentication to work
correctly, but any modules that must be satisfied in every case must come before.

My personal preference, by the way, is to apply the "requisite" control flag to the nologin
module instead of the "required" flag -- the nologin file is displayed in either case, and with
"requisite" the user is spared the rest of the process.

I have some other issues with various PAM configs in the rsh-server and other packages,
which I will report seperately.