require pam_deny in auth chain causes logins to fail

[Jonathan McKeown]

pam.d/README says:

Note that having a "sufficient" module as the last entry for a
particular service and module type may result in surprising behaviour.
To get the intended semantics, add a "required" entry listing the
pam_deny module at the end of the chain.

But in fact

auth sufficient pam_unix.so
auth required   pam_deny.so

always fails, because (from the PAM article):

The second exception is that pam_setcred(3) treats binding and sufficient 
modules as if they were required

which means the final decision drops through to pam_deny even if pam_unix 
succeeds.

Other than the obvious (make pam_unix, or whatever is the last module in the 
auth chain, required rather than sufficient, and leave out the required 
pam_deny) is there another solution to this?

Jonathan