A blacklisted command is not being blocked when it is the first command entered in an ssh session to a Redhat 6.9 target device. This only happens when using the SSH Applet. The command filter works fine when using a TCP/UDP service to launch Putty. There also is no problem using other flavors of UNIX, such as Linux or Solaris.
Observed with PAM 3.1.1. Older releases, and 3.2 GA, may be affected as well.
This was related to the contents of the banner and motd files being used to display messages to users when they login.The root cause was identified as the last line of one, or both, of these files ending with a <newline> character. In some tests this would occur if either file ended with such a character. In other cases it only occurred when both ended with a newline character.
HotFix 18.104.22.168 fixes the problem.
If you don't have the hotfix applied yet, there are a couple of workarounds for this problem:
1. Edit the banner and motd files, to insure they don't end with a newline character.
2. Configure user login scripts so that some command would be executed as soon as the user logged in, for example echo "".