To use shadow passwords with PAM, you must first enable shadow passwords. Most distributions have an option to enable this at installations. If you need to enable it later, then you will need to install the shadow package(s), called "shadow-utils" on Red Hat variations and "shadow" on Debian.
Once you've followed the shadow installation process, you need to enable support for shadow passwords in PAM. In a Red Hat distribution, this means adjusting the system-auth file in the /etc/pam.d. The system-auth file contains the default PAM authentication process. This includes the pam_unix.so PAM authentication module. This module is stacked in all contexts: auth, password, account and session. The auth context stack uses the pam_unix.so module and handles authentication like so:
auth sufficient pam_unix.so try_first_pass nullok
It should automatically detect the presence of shadow passwords.
In the password context, the pam_unix.so module is also stacked to handle the changing of user passwords, like so:
password sufficient pam_unix.so nullok try_first_pass use_authtok md5 shadow
The last option on the line, shadow, is used to ensure shadow passwords are created when a password is changed. A good explanation for that can be found here.
Configuration for other distributions, like Debian, is similar and you can find more details on configuring PAM.
This was first published in October 2006