Ah, yes. That would make blocking IP addresses somewhat problematic.Thanks for the info but its not address blocking that we require as most users will connect from the same ip address!
I would just lock the account.Instead of blocking an offending IP, have a script change user's shell.
An encrypted password prefixed by `*LOCKED*' means that the account is
temporarily locked out and no one can log into it using any
authentication. For a convenient command-line interface to account
locking, see pw(8).
USER LOCKING
The pw utility supports a simple password locking mechanism for users; it
works by prepending the string `*LOCKED*' to the beginning of the
password field in master.passwd to prevent successful authentication.
The lock and unlock commands take a user name or uid of the account to
lock or unlock, respectively. The -V, -C, and -q options as described
above are accepted by these commands.
People who came up with PAM should be sentenced to long jail terms. Following Linux PAM lead is one of the most irritating things on FreeBSD. All sane commercial UNIX-es have better alternatives not to mention ypldap daemon of OpenBSD.On Linux, this would be very easy to do using PAM.