"A hidden jewel--or pain in the rear, depending on your
perspective--is Linux PAM (Pluggable Authentication Module). Linux
oldtimers remember the ancient days when PAM was simple and used
but a single configuration file. It didn't do much, and life was
easy. The modern PAM is more complex and flexible, which can be
trying for new sysadmins. But it has a number of significant
"Back in the Linux stone age, passwords were encrypted by the
venerable crypt and the resulting hash was kept in /etc/passwd.
/etc/passwd has to be world-readable, so anyone who could glom a
copy of it could then crack the passwords at leisure. So shadow
passwords were invented; the hashed password is kept in
/etc/shadow, which only root can read..."