pam —
Pluggable Authentication Modules framework
The Pluggable Authentication Modules (PAM) framework is a system of libraries
  that perform authentication tasks for services and applications. Applications
  that use the PAM API may have their authentication behavior configured by the
  system administrator through the use of the service's PAM configuration file.
PAM modules provide four classes of functionality:
  - account
- Account verification services such as password expiration and access
      control.
- auth
- Authentication services. This usually takes the form of a
      challenge-response conversation. However, PAM can also support, with
      appropriate hardware support, biometric devices, smart-cards, and so
      forth.
- password
- Password (or, more generally, authentication token) change and update
      services.
- session
- Session management services. These are tasks that are performed before
      access to a service is granted and after access to a service is withdrawn.
      These may include updating activity logs or setting up and tearing down
      credential forwarding agents.
A primary feature of PAM is the notion of “stacking”
    different modules together to form a processing chain for the task. This
    allows fairly precise control over how a particular authentication task is
    performed, and under what conditions. PAM module configurations may also
    inherit stacks from other module configurations, providing some degree of
    centralized administration.
login(1),
  passwd(1),
  su(1),
  pam(3),
  pam.conf(5),
  pam_chroot(8),
  pam_deny(8),
  pam_echo(8),
  pam_exec(8),
  pam_ftpusers(8),
  pam_group(8),
  pam_guest(8),
  pam_krb5(8),
  pam_ksu(8),
  pam_lastlog(8),
  pam_login_access(8),
  pam_nologin(8),
  pam_permit(8),
  pam_radius(8),
  pam_rhosts(8),
  pam_rootok(8),
  pam_securetty(8),
  pam_self(8),
  pam_skey(8),
  pam_ssh(8),
  pam_unix(8)
The Pluggable Authentication Module framework was originally developed by
  SunSoft, described in DCE/OSF-RFC 86.0, and first deployed in Solaris 2.6. It
  was later incorporated into the X/Open Single Sign-On Service (XSSO) Pluggable
  Authentication Modules specification.
The Pluggable Authentication Module framework first appeared in
    NetBSD 3.0.