A lightweight Linux authentication agent that integrates with Okta and Active Directory for secure login, user profile management, and sudo access — without relying on /etc/passwd or /etc/sudoers.
- Authenticate Linux users against Okta (supporting MFA)
- Dynamically create temporary user profiles using a local SQLite cache
- Allow secure privilege elevation without touching sudoers
- Fully configurable, encrypted, and extensible
- Written in Go and C for performance and system integration
pam-okta-helper/
├── main.go # Entrypoint — handles login flow
├── go.mod / go.sum # Go modules
├── config/
│ └── config.go # Environment/config loading
├── db/
│ ├── db.go # SQLite DB bootstrap/init
│ └── schema.sql # User table schema
├── model/
│ └── user.go # User struct (mapped to DB)
├── oktaauth/
│ └── auth.go # Okta login and MFA logic
├── util/
│ ├── logger.go # Shared logger across modules
├── pam/
│ └── pam_module.c # [WIP] PAM integration in C
└── README.md # You're here!
- Go 1.20+
- SQLite3
- A free Okta Developer account (or AD federated with Okta)
go mod tidy
go build -o pam-okta-helper./pam-okta-helperFollow prompts to enter your Okta credentials.
- All user credentials are verified directly with Okta.
- Local cache (SQLite) uses encrypted values (TBD).
- Logger is configurable and does not leak secrets.
- MFA handled via Okta Verify and TOTP (in progress).
Want to test login without PAM?
go run main.goTo simulate PAM authentication, a pam_module.c file is provided and will be integrated later.
- Okta authentication with session token
- Local DB cache for authenticated users
- Project-wide logger injection
- MFA Challenge for TOTP and Okta Verify
- PAM integration
- NSS module to simulate
/etc/passwdentries - Privilege escalation without sudoers
Pull requests and forks welcome! Please follow standard Go conventions.
git clone https://github.com/yourusername/pam-okta-helper.git
cd pam-okta-helperOpen issues or enhancements via GitHub issues.