The kernel delegates all authentication and authorization tasks to PAM, and it maintains in its data structures only the "tokens" (so to speak...) that are needed by its own internal mechanisms. You see how the "traditional" authentication and authorization mechanisms of Unix have been
abstracted away in Linux's present design.
Consider the scenarios of which a particular Linux box might be only a tiny part ... an installation that might have 18,000 computers in it ... serving hundreds of thousands of employees
and countless internal service processes. All managed from a
single (distributed...) administration source. (And oh by the way, the security grade is "Top Secret: Crypto.") "Password files" and even "shadow files" are but a distant memory. Linux
is called-upon to work there, and it does. Seamlessly cooperating with all the other types of computers, 24/7/365, with
uptime measured in years. It's quite the thing
to see, I assure you.