Linux-PAM (Pluggable Authentication Modules for Linux) is a library that enables the local system administrator to choose how individual applications authenticate users. For an overview of the Linux-PAM library see the Linux-PAM System Administrators' Guide.
        A Linux-PAM module is a single
        executable binary file that can be loaded by the
        Linux-PAM interface library.
        This PAM library is configured locally with a system file,
        /etc/pam.conf, to authenticate a user
        request via the locally available authentication modules. The
        modules themselves will usually be located in the directory
        /lib/security (or
        /lib64/security, depending on the architecture)
        and take the form of dynamically loadable object files (see
        dlopen(3). Alternatively, the modules can be statically
        linked into the Linux-PAM library;
        this is mostly to allow Linux-PAM to
        be used on platforms without dynamic linking available, but this is
        a deprecated functionality. It is the
        Linux-PAM interface that is called
        by an application and it is the responsibility of the library to
        locate, load and call the appropriate functions in a
        Linux-PAM-module.
      
Except for the immediate purpose of interacting with the user (entering a password etc..) the module should never call the application directly. This exception requires a "conversation mechanism" which is documented below.