Authenticate against PAM

Provides an authenticate function that will allow the caller to authenticate a user against the Pluggable Authentication Modules (PAM) on the system.

Implemented using ctypes, so no compilation is necessary.

There is one extra configuration option for pam. The pam_service that is authenticated against. This defaults to login

auth.pam.service: login


Solaris-like (SmartOS, OmniOS, ...) systems may need auth.pam.service set to other.


PAM authentication will not work for the root user.

The Python interface to PAM does not support authenticating as root.


Using PAM groups with SSSD groups on python2.

To use sssd with the PAM eauth module and groups the pysss module is needed. On RedHat/CentOS this is python-sss.

This should not be needed with python >= 3.3, because the os modules has the getgrouplist function.

class salt.auth.pam.PamConv

Wrapper class for pam_conv structure


Structure/Union member


Structure/Union member

class salt.auth.pam.PamHandle

Wrapper class for pam_handle_t


Structure/Union member

class salt.auth.pam.PamMessage

Wrapper class for pam_message structure


Structure/Union member


Structure/Union member

class salt.auth.pam.PamResponse

Wrapper class for pam_response structure


Structure/Union member


Structure/Union member

salt.auth.pam.auth(username, password, **kwargs)

Authenticate via pam

salt.auth.pam.authenticate(username, password)

Returns True if the given username and password authenticate for the given service. Returns False otherwise

username: the username to authenticate

password: the password in plain text

salt.auth.pam.groups(username, *args, **kwargs)

Retrieve groups for a given user for this auth provider

Uses system groups