Yo,
isn't there a limit on the number of processes, size of memory that you set in pam.conf ? I actually limited it to around 5 or something to a user ( aka me !) and found i could not login :)
Sense and reason is the limit. 5 might not be enough to run through /etc/profile.
If you configure such limits, always make sure that root is not concerned by these limits. Otherwise you have to reboot to get rid of the constraints since the limits get inherited.
A little something that might help dealing with situations like these... I'm doing admin for mostly remote machines (cipe tunnels, very restrictive firewall rules) and playing with config items like under discussion always makes me very nervous. Recovering from a lock-myself-out situation might easily force me to fly to Canada (living in the Netherlands). So, I started using a little procedure: copy config to /tmp, edit, run, move back if OK. If get locked out I can always call for someone to play the power switch. That procedure got a little more formalized and I added a "sleep", followed by a "reboot -r" to the end of the file. If everything was OK, I would be able to hit ^C, remove the sleep-reboot and move the file back. Because I ones forgot to remove these (luckily at home). I made a little improvement and now the end of my /etc/rc.d/rc.firewall (one of the most often changed config items) reads: # This is completely free software to anyone, except for security agencies who must first # mail me the phone number where they can be reached between 22:00 and 08:00 hours. if [ `basename $0` != "rc.firewall" ] then echo "Script started as $0." echo "You have one minute to show you are still effectively connected by hitting ^C." echo "If you do not kill this script within one minute the machine will reboot." for Loop in 60 50 40 30 20 10 do echo echo -n "Hit ^C now! Reboot in ${Loop} seconds!" sleep 10 done echo echo echo "Rebooting machine..." shutdown -r 0 fi I always copy this code and paste the config's filename so there's minimal chance at mistakes. Now I can safely copy to test.firewall, add "iptables -i ${MyOnlyWayIn} -j DROP" to the top of the INPUT chain, run it, and then (some two minutes later) decide against it and toss the added security. CIAO, Peter