PAM is a suite of shared libraries that enable the local system administrator to choose how applications authenticate users.

In other words, without (rewriting and) recompiling a PAM-aware application, it is possible to switch between the authentication mechanism(s) it uses. One may entirely upgrade the local authentication system without touching the applications themselves.

This PAM library is configured locally with a system file, /etc/pam.conf (or a series of configuration files located in /etc/pam.d/) to authenticate a user request via the locally available authentication modules.

The modules themselves will usually be located in the directory /lib/security or /lib64/security and take the form of dynamically loadable object files. See dlopen(3)).

pam_passwdqc