Currently works as follows:

auth module stores a garbled password as module specific
PAM data:

+ pam_sm_authenticate puts the garbled password in an 
  PAM environment variable GARBLED_PASSWORD, garble key
  is in PAM data.

+ pam_sm_setcred reads and erases the PAM environment 
  variable GARBLED_PASSWORD and stores it as PAM data
  (pam_sm_setcred has no more access to clear text passwd
   as pam_sm_authenticate has, thats why we store it in 
   PAM environment before)
   
session module performs login tasks:

+ pam_sm_open_session reads the garbled password from 
  PAM data, degarbles it and forks uniklu_helper program
  which reads clear text password over pipe

lines for /etc/pam.d/{login,kdm}:

# before any sufficent auth module
auth required pam_linux_uniklu.so ingnore_root
# after any required session module: 
session optional pam_linux_uniklu.so uniklu_helper_program \
  /usr/local/bin/uniklu_helper authenticate ingnore_root

Inspired by pam_linux_afs from 
  Tobias Schaefer <T.Schaefer@science-computing.de>
found at http://www.uni-hohenheim.de/~schaefer/linux/pam/
