The PAM config files for rsh, rlogin, and rexec should all have the nologin module at the top of the authentication stack, with control flag "requisite." The contents of the nologin file will be displayed in any case (with the default configs), so moving the module to the top of the stack in no way increases security exposure. Putting that module at the top and making it requisite, however, does reduce the nuisance value of being prompted for a password when access will in any case assuredly be denied. It furthermore is a minor security gain for rexec and sometimes rlogin because no password will ever be sent across the network when because of the nologin module there is no chance that access will be granted.
Fixed for current release (RH 7.1). Read ya, Phil *** This bug has been marked as a duplicate of 17183 ***