If I understood correctly, they currently have a Windows client program, for managing the firewall, which authenticates the user to the firewall using sshd. Now, they also want to add a host based utility with the similar functionality. However, someone told him that the ssh authentication should occur within this host based utility (probably a requirement).
While this is doable, it is more complex and difficult to support/maintain. The simplest method IMHO would be to write a custom limited shell that integrates with the new program.