Add a whole bunch of example entries for pam. This should help get

folk over various hurdles.

etc/pam.conf

@@ -9,19 +9,27 @@
 #
 # $FreeBSD$
 
-# If the user can authenticate with S/Key, that's sufficient.
+# If the user can authenticate with S/Key, that's sufficient; allow clear
+# password. Try kerberos, then try plain unix password.
 login	auth	sufficient	pam_skey.so
-
-# Check skey.access to make sure it is OK to let the user type in
-# a cleartext password.  If not, then fail right here.
 login	auth	requisite	pam_cleartext_pass_ok.so
-
-# If you want KerberosIV authentication, uncomment the next line:
 #login	auth	sufficient	pam_kerberosIV.so		try_first_pass
-
-# Traditional getpwnam() authentication.
 login	auth	required	pam_unix.so			try_first_pass
 
+# r-utils are broken; ensure this doesn't bother folk
+rshd	auth	sufficient	pam_deny.so
+
+# Don't break startx
+xserver	auth	required	pam_permit.so
+
+# XDM is difficult; it fails or moans unless there are modules for each
+# of the four management groups; auth, account, session and password.
+xdm	auth	required	pam_unix.so
+#xdm	auth	sufficient	pam_kerberosIV.so		try_first_pass
+xdm	account	required	pam_unix.so			try_first_pass
+xdm	session	required	pam_deny.so
+xdm	password required	pam_deny.so
+
 # If we don't match anything else, default to using getpwnam().
 other	auth	required	pam_unix.so			try_first_pass
 other	account	required	pam_unix.so			try_first_pass