I had a look at the code while attempting to setup a tornado server with http auth based on PAM and this :

challenge = check_credentials_func(username)
        if not challenge:
            raise self.SendChallenge()

        if challenge == password:

makes it somewhat incompatible with PAM authentication, as far as I can tell...

For reference : https://github.com/FirefighterBlu3/python-pam/blob/master/pam.py provides an authenticate(username, password) function where one passes the user and the password at once, and the return value (after some waiting time) determine if we are logged in or not.

Any hint/ideas on how to improve this ?

see #10 for one attempt.
It seems that the current design is not ideal for this...