oath-toolkit PAM module OTP token invalidation issue

[Florian Weimer <fw () deneb enyo de>]

Bas van Schaik discovered that commented-out lines in /etc/users.oath
have an undesired side effect:

http://lists.nongnu.org/archive/html/oath-toolkit-help/2013-12/msg00000.html

There is a test file with comments in the distribution, so I believe
this is an actual bug with security implications, not accidental
misuse of the file format.