A Pluggable Authentication Module (PAM) and optional Name Service Switch (NSS) for OAuth, with optional support for OpenID Connect (OIDC).
Warning
This project is under active development and is not yet ready for production use.
- Linux (x86-64/amd64) with
glibc >= 2.31
- Linux (arm64/aarch64) with
glibc >= 2.31
- Download the latest release from the releases page
- Extract/install the client on the client machine and the server on the server machine, for example:
VERSION="X.Y.Z" # Get the latest semantic version (Without the "v" prefix!) from the releases page
# Debian/Ubuntu (x86-64/amd64)
wget -q https://github.com/Wakeful-Cloud/pam-oauth/releases/download/v${VERSION}/pam-oauth-client_${VERSION}_amd64.deb
sudo dpkg -i pam-oauth-client_${VERSION}_amd64.deb
wget -q https://github.com/Wakeful-Cloud/pam-oauth/releases/download/v${VERSION}/pam-oauth-server_${VERSION}_amd64.deb
sudo dpkg -i pam-oauth-server_${VERSION}_amd64.deb
# Debian/Ubuntu (arm64/aarch64)
wget -q https://github.com/Wakeful-Cloud/pam-oauth/releases/download/v${VERSION}/pam-oauth-client_${VERSION}_arm64.deb
sudo dpkg -i pam-oauth-client_${VERSION}_arm64.deb
wget -q https://github.com/Wakeful-Cloud/pam-oauth/releases/download/v${VERSION}/pam-oauth-server_${VERSION}_arm64.deb
sudo dpkg -i pam-oauth-server_${VERSION}_arm64.deb
# Red Hat/CentOS (x86-64/amd64)
wget -q https://github.com/Wakeful-Cloud/pam-oauth/releases/download/v${VERSION}/pam-oauth-client-${VERSION}-1.x86_64.rpm
sudo rpm -i pam-oauth-client-${VERSION}-1.x86_64.rpm
wget -q https://github.com/Wakeful-Cloud/pam-oauth/releases/download/v${VERSION}/pam-oauth-server-${VERSION}-1.x86_64.rpm
sudo rpm -i pam-oauth-server-${VERSION}-1.x86_64.rpm
# Red Hat/CentOS (arm64/aarch64)
wget -q https://github.com/Wakeful-Cloud/pam-oauth/releases/download/v${VERSION}/pam-oauth-client-${VERSION}-1.aarch64.rpm
sudo rpm -i pam-oauth-client-${VERSION}-1.aarch64.rpm
wget -q https://github.com/Wakeful-Cloud/pam-oauth/releases/download/v${VERSION}/pam-oauth-server-${VERSION}-1.aarch64.rpm
sudo rpm -i pam-oauth-server-${VERSION}-1.aarch64.rpm
# Arch Linux (x86-64/amd64)
wget -q https://github.com/Wakeful-Cloud/pam-oauth/releases/download/v${VERSION}/pam-oauth-client-${VERSION}-1-x86_64.pkg.tar.zst
sudo pacman -U pam-oauth-client-${VERSION}-1-x86_64.pkg.tar.zst
wget -q https://github.com/Wakeful-Cloud/pam-oauth/releases/download/v${VERSION}/pam-oauth-server-${VERSION}-1-x86_64.pkg.tar.zst
sudo pacman -U pam-oauth-server-${VERSION}-1-x86_64.pkg.tar.zst
# Arch Linux (arm64/aarch64)
wget -q https://github.com/Wakeful-Cloud/pam-oauth/releases/download/v${VERSION}/pam-oauth-client-${VERSION}-1-aarch64.pkg.tar.zst
sudo pacman -U pam-oauth-client-${VERSION}-1-aarch64.pkg.tar.zst
wget -q https://github.com/Wakeful-Cloud/pam-oauth/releases/download/v${VERSION}/pam-oauth-server-${VERSION}-1-aarch64.pkg.tar.zst
sudo pacman -U pam-oauth-server-${VERSION}-1-aarch64.pkg.tar.zst
# Alpine Linux (x86-64/amd64)
wget -q https://github.com/Wakeful-Cloud/pam-oauth/releases/download/v${VERSION}/pam-oauth-client_${VERSION}_x86_64.apk
sudo apk add pam-oauth-client_${VERSION}_x86_64.apk
wget -q https://github.com/Wakeful-Cloud/pam-oauth/releases/download/v${VERSION}/pam-oauth-server_${VERSION}_x86_64.apk
sudo apk add pam-oauth-server_${VERSION}_x86_64.apk
# Alpine Linux (arm64/aarch64)
wget -q https://github.com/Wakeful-Cloud/pam-oauth/releases/download/v${VERSION}/pam-oauth-client_${VERSION}_aarch64.apk
sudo apk add pam-oauth-client_${VERSION}_aarch64.apk
wget -q https://github.com/Wakeful-Cloud/pam-oauth/releases/download/v${VERSION}/pam-oauth-server_${VERSION}_aarch64.apk
sudo apk add pam-oauth-server_${VERSION}_aarch64.apk
- Initialize the server:
# The localhost is so the client can be installed on the same machine as the server (Feel free to omit this if the client will never be installed on the same machine as the server)
sudo pam-oauth-server initialize --server-common-name=<server hostname> --server-dns-san=<alternate server hostname> --server-dns-san=localhost --server-ip-san=127.0.0.1 --server-ip-san=::1 --server-ip-san=<alternate server IP>
-
Update the server configuration (e.g.: OAuth provider's details, listening address) in
/etc/pam-oauth/server.toml
-
Add a client:
sudo pam-oauth-server client add --client-common-name=<client hostname> --client-dns-san=<alternate client hostname> --client-ip-san=<client IP> --client-cert=<path to save client certificate to> --client-key=<path to save client key to>
Note: if the server is already running, you'll need to restart it for the changes to take effect.
- Initialize the client:
sudo pam-oauth-client initialize
-
Update the client configuration (e.g.: server's address) in
/etc/pam-oauth/client.toml
-
Start the server:
# If using systemd
sudo systemctl start pam-oauth-server
# Or manually
sudo pam-oauth-server serve
- Update the PAM configuration (e.g.:
/etc/pam.d/sshd
):
+ auth sufficient pam_oauth.so /usr/bin/pam-oauth-client --config /etc/pam-oauth/client.toml run
# All other auth rules
@include common-auth
Note: the sufficient
keyword means that if this module succeeds, the rest of the auth
stack (i.e.: password or key-based authentication) will be skipped.
- Update the NSS configuration (e.g.:
/etc/nsswitch.conf
):
- passwd: files systemd
- group: files systemd
+ passwd: files systemd oauth
+ group: files systemd oauth
- Update the SSH server configuration (e.g.:
/etc/ssh/sshd_config
):
- ChallengeResponseAuthentication no
- KbdInteractiveAuthentication no
- UsePAM no
+ ChallengeResponseAuthentication yes
+ KbdInteractiveAuthentication yes
+ UsePAM yes
- Restart the SSH server:
sudo systemctl restart sshd
The prompt message template is a Go text template which is used to generate the message to prompt the user to open the authentication URL. The following variables are available:
.Username
: the username of the user attempting to authenticate.Url
: the authentication URL
The create user command is a shell command which is used to create a user. The environment variables that are passed to the command are determined by the callback expression along with the following:
PAM_OAUTH_USERNAME
: the username of the user attempting to authenticate
The callback expression is an Expr (Domain-Specific Language/DSL) expression which must:
- Verify that the username of the user attempting to authenticate matches the username of the user who authenticated with the OAuth provider
- Verify that the user is authorized to use PAM OAuth
- Return any and all variables that are required by the create user command
The following variables are passed to the callback expression:
username: string
: the username of the user attempting to authenticateaccessToken: string
: the raw access tokenrefreshToken: string
: the raw refresh tokenoauthToken: struct
: the OAuth token returned by the OAuth providerexpiry: time.Time
: the expiry time of the tokentype: string
: the type of the token
idToken: struct | nil
: the ID token returned by the OIDC provider (Only if theoidc_url
is set in the OAuth client configuration)accessTokenHash: string
: the access token hashaudience: []string
: the audience of the tokenclaims: map[string]any
: the claims of the tokenexpiry: time.Time
: the expiry time of the tokenissuedAt: time.Time
: the time the token was issuedissuer: string
: the issuer of the tokennonce: string
: the nonce of the tokenraw: string
: the raw tokensubject: string
: the subject of the token
clientCert: struct
: the PAM OAuth client certificatesubject: string
: the subject of the certificateissuer: string
: the issuer of the certificatednsSans: []string
: the DNS subject alternative names of the certificateipSans: []net.IP
: the IP subject alternative names of the certificateserialNumber: string
: the serial number of the certificatesignature: string
: the hex-encoded signature of the certificatesignatureAlgorithm: string
: the signature algorithm of the certificatevalidFrom: time.Time
: the time the certificate is valid fromvalidTo: time.Time
: the time the certificate is valid tokeyUsage: []string
: the key usages of the certificateextKeyUsage: []string
: the extended key usages of the certificate
The following return values are expected to be returned by the callback expression:
ok: bool
: whether or not to allow the user to authenticatemessage: string
: the message to show to the user if rejectedenv: map[string]string
: the environment variables to pass to the create user command running on the client (Note thatPAM_OAUTH_USERNAME
is always passed to the create user command)
The following functions are available in the callback expression:
- Email address utilities
parseEmail
: parses an email address into its name and domain- Parameters:
string
: the email address (e.g.:<Name> [email protected]
)
- Returns:
struct
ok: bool
: whether the email address is validname: string | nil
: the name part of the email address (e.g.:Name
), ifok
istrue
and presentlocal: string
: the local part of the email address (e.g.:username
), ifok
istrue
domain: string
: the domain part of the email address (e.g.:example.com
), ifok
istrue
- Parameters:
- JSON Web Token (JWT) utilities
parseJwt
: decodes a JWT and returns the claims- Parameters:
string
: the JWTstring
: the secret key
- Returns:
struct
ok: bool
: whether the token is valid (e.g.: not expired, signed with the provided secret, etc.)header: map[string]any | nil
: the header, ifok
istrue
claims: map[string]any | nil
: the claims, ifok
istrue
- Parameters:
- Regular Expression (RegEx) utilities
execRegex
: executes an RE2 regular expression and returns the first match's capturing groups- Parameters:
string
: the regular expression patternstring
: the input string
- Returns:
[]string
: the capturing groups (Including the full match as the first element)
- Parameters:
execRegexAll
: executes an RE2 regular expression and returns all matches' capturing groups- Parameters:
string
: the regular expression patternstring
: the input string
- Returns:
[][]string
: the capturing groups (Including the full match as the first element of each match)
- Parameters:
replaceRegex
: replaces first occurrences of a regular expression pattern with a replacement string- Parameters:
string
: the regular expression patternstring
: the input stringreplacement: string
: the replacement string
- Returns:
string
: the input string with all occurrences of the pattern replaced with the replacement string
- Parameters:
replaceRegexAll
: replaces all occurrences of a regular expression pattern with a replacement string- Parameters:
string
: the regular expression patternstring
: the input stringstring
: the replacement string
- Returns:
string
: the input string with all occurrences of the pattern replaced with the replacement string
- Parameters:
- Miscellaneous utilities
log
: logs a message to the server log- Parameters:
string
: the log level (One ofDEBUG
,INFO
,WARN
, orERROR
)string
: the message to log
- Parameters:
// Get the email from the ID token
let email = idToken?.claims?.email;
// Assertions
let emailOk = email != nil;
let usernameOk = email == username;
// Return
!emailOk
? {
ok: false,
message: "Your email address is invalid",
env: {},
}
: !usernameOk
? {
ok: false,
message: "Your username does not match your email address",
env: {},
}
: {
ok: true,
message: "",
env: {
"COMMENT": email
},
}
Note: this expression will still allow anyone who succesfully authenticates with the OAuth provider to authenticate with PAM OAuth. Furthermore, users must connect using their full email address when using SSH (e.g.: ssh [email protected]@ssh.example.com
) .
// Settings
let allowedDomains = ["mail.example.com"];
let allowedUsers = ["user1"];
// Get the email from the ID token
let email = idToken?.claims?.email;
// Parse the email
let parsedEmail = email != nil ? parseEmail(email) : nil;
// Assertions
let emailOk = parsedEmail != nil && parsedEmail.ok;
let emailDomainOk = parsedEmail?.domain in allowedDomains;
let emailLocalOk = parsedEmail?.local == username;
let usernameOk = username in allowedUsers;
// Return
!emailOk
? {
ok: false,
message: "Your email address is invalid",
env: {},
}
: !emailDomainOk
? {
ok: false,
message:
"Your email domain is not allowed (Expected one of: " +
join(allowedDomains, ", ") +
", got: " +
parsedEmail.domain +
")",
env: {},
}
: !emailLocalOk
? {
ok: false,
message:
"Your username does not match your email address (Expected: " +
parsedEmail.local +
", got: " +
username +
")",
env: {},
}
: !usernameOk
? {
ok: false,
message: "You are not authorized to use PAM OAuth",
env: {},
}
: {
ok: true,
message: "",
env: {
"COMMENT": email
},
}
Note: this expression will only allow users with an email address from the mail.example.com
subdomain to authenticate with PAM OAuth. Furthermore, users must connect using only the local part of their email address when using SSH (e.g.: ssh [email protected]
). If you allow multiple domains (instead of a single domain, as with the above), be careful to ensure that the username
is unique across all domains (e.g.: suffix the username with some form of the domain name).
- The server fails to start
- Verify that the server is not already running:
sudo systemctl status pam-oauth-server
- Check the server logs for errors:
sudo journalctl -u pam-oauth-server
- Check the server configuration for misconfigurations (See the setup instructions):
sudo cat /etc/pam-oauth/server.toml
- Manually start the server:
sudo pam-oauth-server serve
- When connecting to a server configured with PAM OAuth, SSH never prompts the user to authenticate with PAM OAuth (i.e.: it reverts to other authentication methods, such as password or key-based authentication)
- Restart the SSH server:
sudo systemctl restart sshd
- Check the SSH server logs for errors:
sudo journalctl -u ssh
# Or
sudo journalctl -u sshd
- Check the PAM configuration for misconfigurations (See the setup instructions):
sudo cat /etc/pam.d/sshd
- Check the NSS configuration for misconfigurations (See the setup instructions):
sudo cat /etc/nsswitch.conf
- Check the SSH server configuration for misconfigurations (See the setup instructions):
sudo cat /etc/ssh/sshd_config
- Check the PAM OAuth client configuration for misconfigurations (See the setup instructions):
sudo cat /etc/pam-oauth/client.toml
- Manually run the PAM OAuth client:
sudo PAM_RHOST="localhost" PAM_RUSER="username" PAM_SERVICE="sshd" PAM_TTY="tty0" PAM_USER="username" PAM_TYPE="pam_sm_authenticate" pam-oauth-client run
Note: replace username
with the username of the user attempting to authenticate.
- Install the tools:
- Clone the repository:
git clone --recursive https://github.com/wakeful-cloud/pam-oauth.git
- Install dependencies:
go mod download
You can run all security audits with:
task audit
You can build everything with:
task build
You can package everything with:
task package
- Build everything using the instructions above
- Initialize the server
./dist/bin/pam-oauth-server --config ./dev/server.toml initialize --server-common-name localhost --server-ip-san 127.0.0.1 --server-ip-san ::1 --server-ip-san 172.17.0.1
-
Update the server configuration (e.g.: OAuth provider's details, listening address)
-
Add the client:
./dist/bin/pam-oauth-server --config ./dev/server.toml client add --client-common-name test --client-cert ./dev/internal-client.crt --client-key ./dev/internal-client.key
- Initialize the client:
./dist/bin/pam-oauth-client --config ./dev/client.toml initialize
-
Update the client configuration (e.g.: server's address)
-
Start the server:
go run ./cmd/server --config ./dev/server.toml serve
- Start the persistent container:
docker run -it -d -v $(pwd):/go/src/github.com/wakeful-cloud/pam-oauth --name pam-oauth ubuntu:latest
- Attach to the container:
docker exec -it pam-oauth /bin/bash
- Setup the container:
# Install dependencies
apt update
apt install -y libpam0g libpam0g-dev nano openssh-server openssl
# Setup SSH
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old
sed -i -E -e 's/#?ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/' -e '#?KbdInteractiveAuthentication no/KbdInteractiveAuthentication yes/' -e 's/#?UsePAM no/UsePAM yes/' -e 's/#?PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
ssh-keygen -a 100 -t ed25519 -f /root/.ssh/id_ed25519 -N ""
service ssh start && service ssh stop # Fix directory creation bug
# Setup PAM
cp /etc/pam.d/sshd /etc/pam.d/sshd.old
sed -i -E -e '1iauth sufficient /go/src/github.com/wakeful-cloud/pam-oauth/dist/bin/pam_oauth.so /go/src/github.com/wakeful-cloud/pam-oauth/dist/bin/pam-oauth-client --config /go/src/github.com/wakeful-cloud/pam-oauth/dev/client.toml run' /etc/pam.d/sshd
# Setup NSS
cp /etc/nsswitch.conf /etc/nsswitch.conf.old
sed -i -E -e 's/passwd: (.*)/passwd: \1 oauth/' -e 's/group: (.*)/group: \1 oauth/' /etc/nsswitch.conf
# Link the shared libraries
ln -s /go/src/github.com/wakeful-cloud/pam-oauth/dist/bin/libnss_oauth.so /lib/x86_64-linux-gnu/libnss_oauth.so
ln -s /go/src/github.com/wakeful-cloud/pam-oauth/dist/bin/libnss_oauth.so /lib/x86_64-linux-gnu/libnss_oauth.so.2
# Configure the login shell permissions
chown root:root /go/src/github.com/wakeful-cloud/pam-oauth/dist/bin/pam-oauth-login
chmod 6755 /go/src/github.com/wakeful-cloud/pam-oauth/dist/bin/pam-oauth-login
- Start the SSH server:
/usr/sbin/sshd -D -d
- In a new terminal, attatch to the container again and attempt to authenticate over SSH:
ssh username@localhost
dist/
: build artifactsbin/
: compiled binariespam-oauth-client
: client binarypam-oauth-login
: login shell binarypam-oauth-server
: server binary
lib/
: shared librariespam_oauth.so
: PAM module shared librarylibnss_oauth.so
: NSS module shared library
man/
: man pagespkg/
: package archives
cmd/
: command line interfacesclient/
: client commandlogin/
: login shell commandserver/
: server command
internal/*
: internal packageslib/*
: C shared librariesnss.c
: NSS stub resolverpam.c
: PAM module wrapper
The PAM module wrapper and client executable communicate using NDJSON over standard output.
type: string
:"prompt"
style: int
: the prompt style (1: echo off, 2: echo on, 3: error, 4: text info)message: string
: the message to prompt the user
type: string
:"putenv"
name: string
: the name of the environment variablevalue: string
: the value of the environment variable