The PKINIT preauth mech may need a password to get at the private key of 
one or more identities.  It should be able to do so via the responder, 
and not just the prompter.