Arvados

Pam-python is a PAM Module that runs the Python interpreter, thus allowing PAM Modules to be written in Python.

arvados-pam is one such "PAM module written in Python." We can make have made the arvados_pam module python3-compatible enough to pass its unit tests, but it can't be shown to work in real life (and can't eliminate the python2.7 dependency) until pam-python itself is updated to work with python3. The author hasn't done this yet, but plans to.

• https://bugzilla.redhat.com/show_bug.cgi?id=1641386 "Unfortunately, it seems that at the moment it can't work without python2. Migration to python3 is "in progress", but it's not done right now."
• https://sourceforge.net/p/pam-python/tickets/5/#f4bb "Debian is coming up for a release next year, so things will happen by then. The major thing is the port to Python 3." (2018-10-25)

If we can't wait for an upstream fix (or fork pam-python and do it ourselves) another approach would be to start fresh and implement a PAM module in Go, using someone else's example like https://github.com/uber/pam-ussh. This might be a better long term solution anyway -- it looks like we never even found a way to test the libpam-python solution without hitting segfaults.

(from discussion offline) having a PAM module is worthwhile (still the best way to enable shell-over-https for CLI/browser use) but the Python solution is looking like a dead end -- it's never been stable and the connector shim isn't even aimed at production use. Porting to Go seems like the least-effort long term solution.

"I'm just letting everybody know now the tests work, I've started intergrating all the changes for a new release." -- https://sourceforge.net/p/pam-python/tickets/5/#f0a9