Oratorian 47 Posted 42 minutes ago Posted 42 minutes ago (edited) Hi all, I've built an Emby Server authentication plugin and I'm looking for a few people to test it and give feedback before I clean it up for wider release. What it does It lets users sign in to Emby with their operating-system account credentials instead of an Emby-native password: Windows - validates against the local account database via LogonUser (optional AD domain validation too). Linux - validates via PAM. One DLL handles both; it detects the OS at runtime. Features Auto-creates a matching Emby user on first successful login (optional). Group-based access control, configured from the dashboard: Allowed groups (a user must be in one of these OS groups to log in) Admin groups (members become Emby admins). Password is never written to disk, logs, or the command line. Its own settings page + menu entry in the dashboard. Status — what I've actually tested Confirmed working on my own machines: Windows 11, Emby 4.9.5.0 - local account login and group-to-admin mapping working (correctly picks up localized group names, e.g. "Administratoren" on a German install). Linux - login via the PAM helper, with access-group and admin-group mapping working. It's functional, but it's had a lot of iteration and I'd like more eyes and environments on it before calling it done. Supported platforms (important) Because it authenticates against the host OS accounts, it only works where Emby runs directly on the OS and you have host access: Windows (bare metal / VM) Linux (bare metal / VM) Docker / containers - the container has its own empty account database, not the host's Synology / QNAP / NAS packages - no root, compiler, or PAM access If you're on Docker or a NAS, this isn't the right tool (LDAP/OIDC plugins are), but I'd still value your thoughts. The Linux catch (please read before testing on Linux) On Linux, an unprivileged process can't verify other users' passwords via PAM (unix_chkpwd refuses cross-user checks unless real-uid is 0). Emby runs unprivileged, so the plugin shells out to a tiny setuid-root helper (a ~150-line C file) that does nothing but the PAM check. You compile and install it yourself — full instructions are in the attached zip (INSTALL.md). On Windows none of this applies; the DLL is all you need. Install (Windows — simplest) Drop EmbySystemLogin.dll (attached) into your plugins folder (...\Emby-Server\programdata\plugins\). Restart Emby. Dashboard → System Account Login settings → enable it, set your Allowed/Admin groups. Single self-contained DLL, no other files needed on Windows. What I'd love feedback on Does it load and work on your Emby version / OS? Group detection — do your OS group names show up and map the way you expect? (Enable it, try a login, and the server log prints the detected groups: [SystemAccountLogin] 'user' groups=[...] | allowedGroups=[...] adminGroups=[...].) The security model for the Linux helper — anything you'd do differently? Anything confusing in the setup. Security note The Linux helper runs as root, so it's deliberately tiny and auditable: it drops supplementary groups, scrubs its environment before calling PAM, and refuses to authenticate system/low-uid accounts. Source is included in the zip please do look it over. Thanks in advance to anyone who kicks the tyres. Happy to answer questions and share the full source. Attachments EmbySystemLogin.dll - the plugin (Windows: just drop it in; Linux: also needs the helper below) emby-pam-helper-src.zip - Linux setuid helper source + Makefile + INSTALL.md (compile on your Linux box) Edited 42 minutes ago by Oratorian
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now