"PAM is an API that takes care of authenticating a user
to a service. Before PAM, applications like login (and rlogin,
telnet, rsh) looked for the username in /etc/passwd, then compared
the two and authenticated the user-typed name. All applications
used these shared services, although the implementation details and
authority to configure them was not shared.
"Next, application developers tried coding their own processes.
With this came the need to separate the application and security
module (a common security module can be shared by applications and
can be configured as needed).
"The PAM mechanism integrates multiple low-level authentication
schemes into a high-level API that allows programs that rely on
authentication to be written independently of the underlying
authentication scheme. The principal feature of PAM is the dynamic
configuration of authentication through either an /etc/pam.d or
/etc/pam.conf file.
"PAM can be configured to deny certain programs the right to
authenticate users and to warn when certain programs attempt to
authenticate. PAM programs make use of PAM modules (authentication
modules): They are attached to applications at runtime in order to
work."