kcheckpass existed because historically we needed to be root to check passwords. This hasn't been true for tens of years. There are no security benefits, all authentication is based on the exit status of the greeter application. This patch drops kcheckpass and brings everything in process, but in another thread. This also reports back more fine grained PAM control at the same time (following on from !29) forwarding all prompts and messages. The unit test has been replaced with one that actually checks against a real PAM using pam_wrapper to force a fake user.