As a demo it's fine, and you get to make the UI in parallel. So go for it. In terms of formatting into a string for use with pam_response, that seems sensible. For deployment it's a bit sketchy if you use the same auth for ssh or whatever. You'd probably want to have two different PAM modules so we use the different auth checks for different things.