tlwebaccess needs to authenticate users using PAM, just like sshd. To do this, we need a helper binary which talks to PAM, presents prompts etc. lsh-pam-checkpw cannot be used, since it does not support OTP, and is not interactive in any other way. tl-pam-passwd is only for password changes, and suffers from bad design.
Instead of writing a tool from scratch though, we could consider using http://pamtester.sourceforge.net/. It seems to do what we need. It hasn't been updated in several years, but is packaged in Fedora, EPEL, and OpenSuse.
Shipping pamtester in 26854.
For reference, an alternative approach would have been to call PAM directly from Python. There are a few options here:
* http://ace-host.stuart.id.au/russell/files/pam_python/, requires .so files, thus we cannot use it.
* http://atlee.ca/software/pam/ is a pure Python implementation, using "ctypes" for opening libc, libpam etc.
However, with all these solutions, I'm afraid that SELinux (today or tomorrow) will prevent correct PAM behaviour, since /usr/bin/python might not have the correct context etc. After all, we will need to read /etc/pam.d/sshd. A separate binary allows us, if necessary, to set the context to exactly what /usr/sbin/sshd uses.
Tested pamtester alot when testing OTP on bug #4561, verified functionality by installing ThinLinc build 3937 on CentOS which have selinux enabled by default and the HTML5 client works out of the box with pam_prompt.so and no trace of failures in the logs.