diff --git a/pkgs/os-specific/linux/pam_ussh/default.nix b/pkgs/os-specific/linux/pam_ussh/default.nix
new file mode 100644
index 000000000000..499239500acc
--- /dev/null
+++ b/pkgs/os-specific/linux/pam_ussh/default.nix
@@ -0,0 +1,64 @@
+{ buildGoModule
+, fetchFromGitHub
+, pam
+, lib
+}:
+
+buildGoModule rec {
+  pname = "pam_ussh";
+  version = "unstable-20210615";
+
+  src = fetchFromGitHub {
+    owner = "uber";
+    repo = "pam-ussh";
+    rev = "e9524bda90ba19d3b9eb24f49cb63a6a56a19193";  # HEAD as of 2022-03-13
+    sha256 = "0nb9hpqbghgi3zvq41kabydzyc6ffaaw9b4jkc5jrwn1klpw1xk8";
+  };
+
+  prePatch = ''
+    cp ${./go.mod} go.mod
+  '';
+  overrideModAttrs = (_: {
+    inherit prePatch;
+  });
+
+  vendorSha256 = "0hjifc3kbwmx7kjn858vi05cwwra6q19cqjfd94k726pwhk37qkw";
+
+  buildInputs = [
+    pam
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+
+    if [ -z "$enableParallelBuilding" ]; then
+      export NIX_BUILD_CORES=1
+    fi
+    go build -buildmode=c-shared -o pam_ussh.so -v -p $NIX_BUILD_CORES .
+
+    runHook postBuild
+  '';
+  checkPhase = ''
+    runHook preCheck
+
+    go test -v -p $NIX_BUILD_CORES .
+
+    runHook postCheck
+  '';
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib/security
+    cp pam_ussh.so $out/lib/security
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/uber/pam-ussh";
+    description = "PAM module to authenticate using SSH certificates";
+    license = licenses.mit;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ lukegb ];
+  };
+}
diff --git a/pkgs/os-specific/linux/pam_ussh/go.mod b/pkgs/os-specific/linux/pam_ussh/go.mod
new file mode 100644
index 000000000000..9adc453560a4
--- /dev/null
+++ b/pkgs/os-specific/linux/pam_ussh/go.mod
@@ -0,0 +1,15 @@
+module github.com/uber/pam-ussh
+
+go 1.17
+
+require (
+	github.com/stretchr/testify v1.7.0
+	golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
+)
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 6c6832ae0547..539ecd4ec481 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -23052,6 +23052,8 @@ with pkgs;
 
   pam_usb = callPackage ../os-specific/linux/pam_usb { };
 
+  pam_ussh = callPackage ../os-specific/linux/pam_ussh { };
+
   paxctl = callPackage ../os-specific/linux/paxctl { };
 
   paxtest = callPackage ../os-specific/linux/paxtest { };