  IN OTHER WORDS, WITHOUT (REWRITING AND) RECOMPILING A PAM-AWARE
  APPLICATION, IT IS POSSIBLE TO SWITCH BETWEEN THE AUTHENTICATION
  MECHANISM(S) IT USES. INDEED, ONE MAY ENTIRELY UPGRADE THE LOCAL
  AUTHENTICATION SYSTEM WITHOUT TOUCHING THE APPLICATIONS THEMSELVES.


  HISTORICALLY AN APPLICATION THAT HAS REQUIRED A GIVEN USER TO BE
  AUTHENTICATED, HAS HAD TO BE COMPILED TO USE A SPECIFIC AUTHENTICATION
  MECHANISM.  FOR EXAMPLE, IN THE CASE OF TRADITIONAL UN*X SYSTEMS, THE
  IDENTITY OF THE USER IS VERIFIED BY THE USER ENTERING A CORRECT
  PASSWORD.  THIS PASSWORD, AFTER BEING PREFIXED BY A TWO CHARACTER
  ``SALT'', IS ENCRYPTED (WITH CRYPT(3)). THE USER IS THEN AUTHENTICATED
  IF THIS ENCRYPTED PASSWORD IS IDENTICAL TO THE SECOND FIELD OF THE
  USER'S ENTRY IN THE SYSTEM PASSWORD DATABASE (THE /ETC/PASSWD FILE).
  ON SUCH SYSTEMS, MOST IF NOT ALL FORMS OF PRIVILEGES ARE GRANTED BASED
  ON THIS SINGLE AUTHENTICATION SCHEME. PRIVILEGE COMES IN THE FORM OF A
  PERSONAL USER-IDENTIFIER (UID) AND MEMBERSHIP OF VARIOUS GROUPS.
  SERVICES AND APPLICATIONS ARE AVAILABLE BASED ON THE PERSONAL AND
  GROUP IDENTITY OF THE USER. TRADITIONALLY, GROUP MEMBERSHIP HAS BEEN
  ASSIGNED BASED ON ENTRIES IN THE /ETC/GROUP FILE.


  UNFORTUNATELY, INCREASES IN THE SPEED OF COMPUTERS AND THE WIDESPREAD
  INTRODUCTION OF NETWORK BASED COMPUTING, HAVE MADE ONCE SECURE
  AUTHENTICATION MECHANISMS, SUCH AS THIS, VULNERABLE TO ATTACK. IN THE
  LIGHT OF SUCH REALITIES, NEW METHODS OF AUTHENTICATION ARE
  CONTINUOUSLY BEING DEVELOPED.


  IT IS THE PURPOSE OF THE LINUX-PAM PROJECT TO SEPARATE THE DEVELOPMENT
  OF PRIVILEGE GRANTING SOFTWARE FROM THE DEVELOPMENT OF SECURE AND
  APPROPRIATE AUTHENTICATION SCHEMES.  THIS IS ACCOMPLISHED BY PROVIDING
  A LIBRARY OF FUNCTIONS THAT AN APPLICATION MAY USE TO REQUEST THAT A
  USER BE AUTHENTICATED. THIS PAM LIBRARY IS CONFIGURED LOCALLY WITH A
  SYSTEM FILE, /ETC/PAM.CONF (OR A SERIES OF CONFIGURATION FILES LOCATED
  IN /ETC/PAM.D/) TO AUTHENTICATE A USER REQUEST VIA THE LOCALLY
  AVAILABLE AUTHENTICATION MODULES. THE MODULES THEMSELVES WILL USUALLY
  BE LOCATED IN THE DIRECTORY /USR/LIB/SECURITY AND TAKE THE FORM OF
  DYNAMICALLY LOADABLE OBJECT FILES (SEE DLOPEN(3)).
