skeysh is a solution for sites that cannot replace the login program.
skeysh is an skey-only login program, to be installed as the login
shell for an unprivileged and password-less account (e.g. skey).

People first log into the skey account. This drops them into the skeysh
program which prompts for their real account name and presents the
corresponding S/Key challenge.  When the correct responses are given,
skeysh runs the user's login shell after performing the usual user-
specific actions (environment variables; motd and mail; wtmp, utmp and
lastlogin file updates; etc.).

skeysh must be installed set-uid root. The skey dummy account should
not have any privileges. It may be a password-less account: tricks with
LD_LIBRARY_PATH etc. won't work because (1) skeysh is set-uid; (2) it
preserves the TZ and TERM environment variables and rewrites anything
else.

I got this idea from *Hobbit*.
