>Why should we allow access if the script failed, and the admin asked
>that if the script failed, that the login be refused?

Well I think that if login is to be refused, the script should return "normal"
(WEXITED) with a non-zero status. Anything else looks like a programming
error, and I was puzzled when there was no indication (syslog printf are
spare as to not spam /var/log/messages), but normal tty login worked.

>Isn't this something for the script to handle (if it is expected that
>the script may segfault)?

It was unexpected

Jan Engelhardt