This is the part that really gets me about PAM. There really did need to be something where it sits, and the plugin approach is perfectly sound. (Aside: I hope the expressed horror at "plugins in C" is one of the satirical parts, because plenty of people really do have such a poor grasp of computing history.) On the other hand, the implementation of those basic ideas has always been plagued by inscrutable APIs/formats, poor documentation, and unnecessarily catastrophic failure modes - as shown in the talk itself, and some of the comments above. Actually working with PAM is almost as unpleasant as working with SELinux, and neither has to be so bad.