Skip to content

PAM Authentication

The pam_auth plugin allows users to login to sregistry using the unix accounts on the host system.

To enable PAM authentication you must:

  • Add pam_auth to the PLUGINS_ENABLED list in shub/settings/
  • Uncomment binds to /etc/shadow and /etc/passwd in docker compose.yml
  • Build the docker image with the build argument ENABLE_PAM set to true More detailed instructions are below.


The rules with respect to user collections still hold true - each user is given push access given that they are added to a team, or USER_COLLECTIONS is true, and each user will still each need to export their token to push. You can read more about roles here, and more about teams to manage groups of people.

Getting Started

This is the detailed walkthough to set up the PAM AUthentication plugin.

First, uncomment “pam_auth” at the bottom of shub/settings/ to enable the login option.

#    'ldap_auth',
#    'globus',
#    'saml_auth'

Since we need to get access to users from the host, you need to edit the docker compose.yml and uncomment binds to your host:

  restart: always
    - .:/code
    - ./static:/var/www/static
    - ./images:/var/www/images
    # uncomment for PAM auth
    #- /etc/passwd:/etc/passwd
    #- /etc/shadow:/etc/shadow
    - redis
    - db

If you do this, we lose the user added in the container for nginx! You also need to add the nginx user to your host:

$ sudo addgroup --system nginx
$ sudo adduser --disabled-login --system --home /var/cache/nginx --ingroup nginx nginx

Note that this solution would require restarting the container for changes on the host to take effect (for example, adding new users). If you find a better way to do this, please test and open an issue to add to this documentation.

Finally, you must build the docker image with the build argument ENABLE_PAM set to true:

$ docker build --build-arg ENABLE_PAM=true -t .