GitHub Go Report Card

Most Linux systems use PAM. If you want to use NetAuth to provide accounts to your Linux fleet, there are some additional packages that are highly recommended.


While NetAuth strives to be as reliable as possible, it is still possible that your NetAuth servers might be down when you’re trying to log in. To resolve this case it is highly recommended that you have a password cache on your machines. This allows the system to keep working if you’ve logged in recently.

libpam-policycache can be obtained in source form from its repository. Binary packages are available for a number of popular Linux distributions.


If your distribution provides a packaged binary form of pam_netauth, you are strongly encouraged to use this, though if your distribution happens to be Debian derived, make sure you’re getting a version that’s somewhat recent.

If your distribution does not provide pam_netauth, you’ll need to build it from source. It is assumed that you have a Go installation of version 1.10 or later and the dep Go dependency manager. You must also obtain the PAM headers which will usually be in a package with a name similar to pam-devel.

Now you can build pam_netauth:

$ git clone -b <version>
$ cd pam_netauth
$ dep ensure
$ go build -buildmode=c-shared -o

To install pam_netauth locate where your system stores security modules, usually /usr/lib/security:

$ sudo cp /usr/lib/security/
$ sudo chown root:root /usr/lib/security/
$ sudo chmod 0755 /usr/lib/security/


Configuring a service to use pam_netauth takes the same form as configuring any other PAM service. An example system-auth file is shown below that includes the recommended approach with libpam-policycache. pam_netauth implements the auth service only.

Note that for pam_netauth to work, you will need an existing NetAuth configuration file installed at /etc/netauth.toml.

Example system-auth:


auth    [success=4 default=ignore] try_first_pass nullok
auth    [success=3 default=ignore] try_first_pass action=check
auth    [success=ok default=die] try_first_pass
auth    [success=1 default=ignore] try_first_pass action=update
auth    required
auth    required
auth    required

account   required
account   optional
account   required

password  required     try_first_pass nullok sha512 shadow
password  optional

session   required
session   optional    usergroups
session   required
session   required
session   optional

Note that in the above file is used to provide home directories instead of networked storage. If your environment has networked storage substitute an appropriate module such as