The following is extracted from an email. I'll tidy it up later.
The point of PAM is that the application is not supposed to have any idea how the attatched authentication modules will choose to authenticate the user. So all they can do is provide a conversation function that will talk directly to the user(client) on the modules' behalf.
Consider the case that you plug a retinal scanner into the login program. In this situation the user would be prompted: "please look into the scanner". No username or password would be needed - all this information could be deduced from the scan and a database lookup. The point is that the retinal scanner is an ideal task for a "module".
While it is true that a pop-daemon program is designed with the POP
protocol in mind and no-one ever considered attatching a retinal
scanner to it, it is also the case that the "clean" PAM'ification of
such a daemon would allow for the possibility of a scanner module
being be attatched to it. The point being that the "standard"
One simple test of a ported application would be to insert the
pam_permit module and see if the application demands you type a
password... In such a case,
xlock would fail to lock the
terminal - or would at best be a screen-saver, ftp would give password
free access to all etc.. Neither of these is a very secure thing to
do, but they do illustrate how much flexibility PAM puts in the hands
of the local admin.
The key issue, in doing things correctly, is identifying what is part of the authentication procedure (how many passwords etc..) the exchange protocol (prefixes to prompts etc., numbers like 331 in the case of ftpd) and what is part of the service that the application delivers. PAM really needs to have total control in the authentication "proceedure", the conversation function should only deal with reformatting user prompts and extracting responses from raw input.