I'm researching the ways to implement an authentication server capable of 2FA - I want to be able to validate a short password along with a TOTP (probably Google authenticate). But I want to support some legacy applications which only have the capability to emit a single password prompt/accept a single line of input for the password.
Is it possible to handle {staticPassword}+{OTP} as a single string submitted by the user using off-the-shelf PAM modules?
I note that PAM has forward_pass/use_first_pass but from what I've read these seem to be aimed at testing the same password against different authenticators. I've not found anything to allow me to extract a part of the password to apply to an authenticator.
