Taken from
http://www.ccm.ece.vt.edu/~lscharf/samd/?topic=Linux&title=PAM :

Keywords: Pluggable Authentication Module
Date Created: 2002-04-01
Author: Luke Scharf luke@vt.edu

Here is what I wish I'd known about PAM before I started working with it:

* Some good documentation on PAM is available here:
* The PAM home page (and some vague documentation) is available here:
* PAM is pluggable on both sides - applications plug into the front
and authentication schemes plug into the back.
* The way that applications plug into PAM is defined by the files in
/etc/pam.d. An application will identify itself to PAM by an arbitrary
string. This string is usually the application's name, but it doesn't
have to be. PAM will look in /etc/pam.d/identification_string to see
what authentication mechanisms to use for that program. If
/etc/pam.d/identification_string does not exist, PAM will use the
authentication mechanism found in /etc/pam.d/other.
* PAM has been (rightfully) written with the utmost of paranoia.
This makes it (rightfully) secure, but (infuriatingly) difficult
to troubleshoot. I've read documentation and posted on listservs,
but I haven't found a way to see /why/ a particular authentication
attempt failed. The authors had to debug it somehow, but the
production-quality packaged versions don't seem to emit any
diagnostic information. If anyone can point me to a pam-watch
program that will work on a production machine, I'll very happily
eat some crow.