If your connection is by SSH, then you can use certificates for authentication and tunnel in on a SSH connection. This is the most secure option as plain-text credentials are not sent over the network.
I would look the system services or run-time library for the acme services for validating credentials. The acme services can do the local or external authentication validation.
The traditional sysuaf/getuaf system services can only authenticate against the local SYSUAF so is not robust, and the CRTL implementation of getpw*() routines are incomplete for doing the same thing.