pam_limits maxlogins count -Out by one

Hi,

I am new to this List, please forgive me if this subject has been 
discussed more than once!!

Two q's from me:
1)
pam_limits module appears to be out by one for certain authentication 
methods -- In particular ssh -- Example, if I set maxlogins for a user 
of 1, the user is allowed 2 logins, the third fails. If I set maxlogins 
0, no logins allowed. I assume someone is aware of it??


2)
I have been playing with a pam_iptables module for PAM  see 
http://www.itlab.musc.edu/~nathan/authentication_gateway/(Not part of 
the main PAM tree).

In playing with this module it occured to me that what the pam_iptables 
is much like is a generic "execute something when some pam 
authentication takes place" type of module.  ie a pam_generic_execv that 
reads a config file list of programs to execute when  a PAM 
authentication takes place. Is there such a module already ? If not 
would it be usefull, safe, or just superfluous?

Cheers,
Michael