The Pluggable Authentication Module (PAM) framework lets you "plug in" new authentication technologies without changing system entry services such as login, ftp, telnet, and so on. You can also use PAM to integrate UNIX login with other security mechanisms like DCE or Kerberos. Mechanisms for account, session, and password management can also be "plugged in" using this framework.
The PAM framework allows a system administrator to choose any combination of system entry services (ftp, login, telnet, or rsh, for example) for user authentication. Some of the benefits PAM provides are:
Flexible configuration policy
Per application authentication policy
The ability to choose a default authentication mechanism
Multiple passwords on high-security systems
Ease of use for the end user
No retyping of passwords if they are the same for different mechanisms
The ability to use a single password for multiple authentication methods with the password mapping feature, even if the passwords associated with each authentication method are different
The ability to prompt the user for passwords for multiple authentication methods without having the user enter multiple commands
The ability to pass optional parameters to the user authentication services