The manpage for sshd states: LOGIN PROCESS When a user successfully logs in, sshd does the following: <...> 3. Checks /etc/nologin; if it exists, prints contents and quits (unless root). It doesn't. Even if /etc/nologin exists, any user can still log in.
Fixed in OpenSSH CVS: 20010713 - (djm) Enable /etc/nologin check on PAM systems, as some lack the pam_nologin module. Report from William Yodlowsky <bsd.edu>
This change will be integrated into 2.9p2-7 and later. Thanks!
The OpenSSH devs should have never made that change. They reverted this in the Feb 2005 release of OpenSSH v4.3. Now, properly, OpenSSH defers to PAM on /etc/nologin processing.