seebs@plethora.net writes:

> I like the fact that BSD Authentication can allow non-setuid programs to
> perform authentication checks that need root privs.

I don't think anything in PAM prevents you from executing a setuid
authentication program from a non-setuid utility for this purpose.

Just like I'm sure you could write a BSD Authentication script that
completed the authentication check with PAM. :)