As the name implies PAM (Pluggable Authentication Modules) is used for Authentication. For example, when making an SSH connection onto a Linux system, PAM may be used for Authentication.

On a Red Hat distribution (CentOS, Fedora, Red Hat), the /etc/pam.d directory contains the PAM configuration files. For example, the /etc/pam.d/sshd file may contain something like this.

]# cat /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

The /etc/security/pam_env.conf file can be used to override environment variables. For example, let's say you have the following XDG environment variables.

~]$ env | grep XDG
XDG_SESSION_TYPE=tty
XDG_SESSION_CLASS=user
XDG_SESSION_ID=3651
XDG_RUNTIME_DIR=/run/user/1002

You could add the following to /etc/security/pam_env.conf.

XDG_SESSION_TYPE  DEFAULT=""

And then the XDG_SESSION_TYPE should be empty.

~]$ env | grep XDG
XDG_SESSION_TYPE=
XDG_SESSION_CLASS=user
XDG_SESSION_ID=3651
XDG_RUNTIME_DIR=/run/user/1002