PAM stands for Pluggable Authentication Modules or Pluggable Authentication Mechanism.
PAM is a mechanism for system applications that need to perform authentication to have uniform loadable modules do it for them.
That way, not every program has to do the authentication (be it even by just encrypting and comparing a password) by itself, and when authentication methods are changed/added, program code needs not be changed, and programs need not even be recompiled/rebuilt/relinked. Just some configuration file (pam.conf, or the alternative pam.d directory) has to be changed specifying which methods of authentication each program should use.
PAM was originally developed by Sun Microsystems for Solaris (SunOS 5). Nowadays it is the major part of the X/Open Single Sign-On (XSSO) standard by the Open Group.
Common implementations of PAM are Sun's implementation on Solaris, Linux-PAM - which is rather portable and not only used on Linux - FreeBSD used it too, before release 5.0 - now it uses OpenPAM.
PAM can be used not only for strict authentication (that is - given some credentials or conversation methods, verify that the user is who he claims to be) - but also for accounting (deciding whether the user may get access according to various factors like the time, terminal, account status, etc., and auditing the attempt), session
management (set up the environment for the user's session - give the user permissions to some files and devices, set environment variables, store authentication tokens in a file for later re-use), and password management (let the user change his password through various services, remotely and locally, and have it synchronized and fit with further
authentication).
PAM modules can be stacked, so that if one fails to authenticate the user, the others can try, or so that the user has to go through multiple steps and modules to be authenticated. Stacked modules can pass some information, like authentication tokens/credentials to the next modules in the stack, to provide the ability for more compilcated combinations, and so that the user does not have to re-enter his password for every module (just enters his password, and if it is OK one module will already succeed)
Another important idea is that of Single Sign-On, being part of the standard's name. That means, that a user only has to authenticate once, at login or beginning of a session, and then when requesting different or further services, the authentication tokens can be passed on, and the user needs not go through the same process again - if the original authenticator is trusted.
PAM modules can be statically linked - but then they lose a lot of their point - programs do - or at least the library does - need to be rebuilt.
When dynamically linked, the PAM library uses the libdl library functions (dlopen, etc.) to load a PAM module, which is a shared object file, and calls the relevant functions within it, passing them a pointer to a pam_handle that can be used to converse with the application.