The manpage for sshd states:
When a user successfully logs in, sshd does the following:
3. Checks /etc/nologin; if it exists, prints contents and
quits (unless root).
It doesn't. Even if /etc/nologin exists, any user can still log in.
Fixed in OpenSSH CVS:
- (djm) Enable /etc/nologin check on PAM systems, as some lack the
pam_nologin module. Report from William Yodlowsky
This change will be integrated into 2.9p2-7 and later. Thanks!
The OpenSSH devs should have never made that change. They reverted this in the
Feb 2005 release of OpenSSH v4.3.
Now, properly, OpenSSH defers to PAM on /etc/nologin processing.