> Other than the canonical "login" program, what is the correct (PC or
> otherwise) way to deal with this in NetBSD?

Write a tiny setuid-root program to do the authentication.  Write a
function to talk to the authentication program over a Unix domain socket,
or over some pipes.  Put that function in a library.  Call the library
function from your program.  For extra credit, modify all the other
programs that do authentication (login, su, ftpd, ...) to do it the same
way. 

No, I haven't done this, but I think it's the right thing to do.

--apb (Alan Barrett)