The /etc/pam.d/system-auth file on a Fedora 7 Linux system
looks like this:

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

....

(remaining lines omitted.)

My question is on the "account" lines. If I understand
this correctly the first line requirs a valid, unexpired
user account. The last three lines don't seem to do anything!
That is, if the first line succeeds the last three can never
have no effect. I'm thinking this is a mistake and
that Red Hat meant to have this policy:

....
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_unix.so
....

Can anyone enlighten me about this?

-Wayne