diff --git a/pkgs/development/libraries/openbsm/default.nix b/pkgs/development/libraries/openbsm/default.nix
new file mode 100644
index 000000000000..a6e62cea9d7e
--- /dev/null
+++ b/pkgs/development/libraries/openbsm/default.nix
@@ -0,0 +1,20 @@
+{ stdenv, fetchFromGitHub, lib }:
+
+stdenv.mkDerivation rec {
+  pname = "openbsm";
+  name = "${pname}-${version}";
+  version = "1.1";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "${lib.toUpper (builtins.replaceStrings ["." "-"] ["_" "_"] name)}";
+    sha256 = "0b98359hd8mm585sh145ss828pg2y8vgz38lqrb7nypapiyqdnd1";
+  };
+
+  meta = {
+    homepage = http://www.openbsm.org/;
+    platforms = lib.platforms.unix;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/pkgs/development/libraries/openpam/default.nix b/pkgs/development/libraries/openpam/default.nix
new file mode 100644
index 000000000000..187f86133756
--- /dev/null
+++ b/pkgs/development/libraries/openpam/default.nix
@@ -0,0 +1,18 @@
+{ stdenv, buildPackages, hostPlatform, fetchurl, lib }:
+
+stdenv.mkDerivation rec {
+  name = "openpam-${version}";
+  version = "20170430";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/openpam/openpam/Resedacea/${name}.tar.gz";
+    sha256 = "0pz8kf9mxj0k8yp8jgmhahddz58zv2b7gnyjwng75xgsx4i55xi2";
+  };
+
+  meta = {
+    homepage = https://www.openpam.org;
+    description = "An open source PAM library that focuses on simplicity, correctness, and cleanliness";
+    platforms = lib.platforms.unix;
+    maintainers = with lib.maintainers; [ matthewbauer ];
+  };
+}
diff --git a/pkgs/os-specific/darwin/apple-source-releases/system_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/system_cmds/default.nix
index 2247ef3ddd2f..2579b0b6a0a6 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/system_cmds/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/system_cmds/default.nix
@@ -1,37 +1,104 @@
-{ stdenv, appleDerivation, xcbuild }:
+{ stdenv, appleDerivation, xcbuild, lib, hostPlatform
+, Librpcsvc, apple_sdk, pam, CF, openbsm }:
 
 appleDerivation rec {
   # xcbuild fails with:
   # /nix/store/fc0rz62dh8vr648qi7hnqyik6zi5sqx8-xcbuild-wrapper/nix-support/setup-hook: line 1:  9083 Segmentation fault: 11  xcodebuild OTHER_CFLAGS="$NIX_CFLAGS_COMPILE" OTHER_CPLUSPLUSFLAGS="$NIX_CFLAGS_COMPILE" OTHER_LDFLAGS="$NIX_LDFLAGS" build
+  # see issue facebook/xcbuild#188
   # buildInputs = [ xcbuild ];
 
-  # # temporary install phase until xcodebuild has "install" support
-  # installPhase = ''
-  #   mkdir -p $out/bin/
-  #   install system_cmds-*/Build/Products/Release/* $out/bin/
+  buildInputs = [ Librpcsvc apple_sdk.frameworks.OpenDirectory pam CF
+                  apple_sdk.frameworks.IOKit openbsm ];
+  # NIX_CFLAGS_COMPILE = lib.optionalString hostPlatform.isi686 "-D__i386__"
+  #                    + lib.optionalString hostPlatform.isx86_64 "-D__x86_64__"
+  #                    + lib.optionalString hostPlatform.isArm "-D__arm__";
+  NIX_CFLAGS_COMPILE = [ "-DDAEMON_UID=1"
+                         "-DDAEMON_GID=1"
+                         "-DDEFAULT_AT_QUEUE=\'a\'"
+                         "-DDEFAULT_BATCH_QUEUE=\'b\'"
+                         "-DPERM_PATH=\"/usr/lib/cron/\""
+                         "-DOPEN_DIRECTORY"
+                         "-DNO_DIRECT_RPC"
+                         "-DAPPLE_GETCONF_UNDERSCORE"
+                         "-DAPPLE_GETCONF_SPEC"
+                         "-DUSE_PAM"
+                         "-DUSE_BSM_AUDIT"
+                         "-D_PW_NAME_LEN=MAXLOGNAME"
+                         "-D_PW_YPTOKEN=\"__YP!\""
+                         "-DAHZV1=64 "
+                         "-DAU_SESSION_FLAG_HAS_TTY=0x4000"
+                         "-DAU_SESSION_FLAG_HAS_AUTHENTICATED=0x4000"
+                       ] ++ lib.optional (!stdenv.isLinux) " -D__FreeBSD__ ";
 
-  #   for n in 1 5 8; do
-  #     mkdir -p $out/share/man/man$n
-  #     install */*.$n $out/share/man/man$n
-  #   done
-  # '';
+  patchPhase = ''
+    substituteInPlace login.tproj/login.c \
+      --replace bsm/audit_session.h bsm/audit.h
+    substituteInPlace login.tproj/login_audit.c \
+      --replace bsm/audit_session.h bsm/audit.h
+  '';
 
-  # For now we just build sysctl because that's all I need... Please open a
-  # PR if you need any other utils before we fix the xcodebuild.
-  buildPhase = "cc sysctl.tproj/sysctl.c -o sysctl";
+  buildPhase = ''
+    for dir in *.tproj; do
+      name=$(basename $dir)
+      name=''${name%.tproj}
 
-  installPhase =
-    ''
-      mkdir -p $out/bin
-      install sysctl $out/bin
-      for n in 5 8; do
-        mkdir -p $out/share/man/man$n
-        install sysctl.tproj/*.$n $out/share/man/man$n
+      CFLAGS=""
+      case $name in
+           arch) CFLAGS="-framework CoreFoundation";;
+           atrun) CFLAGS="-Iat.tproj";;
+           chkpasswd)
+             CFLAGS="-framework OpenDirectory -framework CoreFoundation -lpam";;
+           getconf)
+               for f in getconf.tproj/*.gperf; do
+                   cfile=''${f%.gperf}.c
+                   LC_ALL=C awk -f getconf.tproj/fake-gperf.awk $f > $cfile
+               done
+           ;;
+           iostat) CFLAGS="-framework IOKit -framework CoreFoundation";;
+           login) CFLAGS="-lbsm -lpam";;
+           nvram) CFLAGS="-framework CoreFoundation -framework IOKit";;
+           sadc) CFLAGS="-framework IOKit -framework CoreFoundation";;
+           sar) CFLAGS="-Isadc.tproj";;
+      esac
+
+      echo "Building $name"
+
+      case $name in
+
+           # These are all broken currently.
+           arch) continue;;
+           chpass) continue;;
+           dirhelper) continue;;
+           dynamic_pager) continue;;
+           fs_usage) continue;;
+           latency) continue;;
+           pagesize) continue;;
+           passwd) continue;;
+           reboot) continue;;
+           sc_usage) continue;;
+           shutdown) continue;;
+           trace) continue;;
+
+           *) cc $dir/*.c -I''${dir} $CFLAGS -o $name ;;
+      esac
+    done
+  '';
+
+  installPhase = ''
+    for dir in *.tproj; do
+      name=$(basename $dir)
+      name=''${name%.tproj}
+      [ -x $name ] && install -D $name $out/bin/$name
+      for n in 1 2 3 4 5 6 7 8 9; do
+        for f in $dir/*.$n; do
+          install -D $f $out/share/man/man$n/$(basename $f)
+        done
       done
-    '';
+    done
+  '';
 
   meta = {
     platforms = stdenv.lib.platforms.darwin;
-    maintainers = with stdenv.lib.maintainers; [ shlevy ];
+    maintainers = with stdenv.lib.maintainers; [ shlevy matthewbauer ];
   };
 }
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index ba19ba5f21d0..199f6e878ff5 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -13773,13 +13773,19 @@ with pkgs;
 
   gogoclient = callPackage ../os-specific/linux/gogoclient { };
 
+  linux-pam = callPackage ../os-specific/linux/pam { };
+
   nss_ldap = callPackage ../os-specific/linux/nss_ldap { };
 
   odroid-xu3-bootloader = callPackage ../tools/misc/odroid-xu3-bootloader { };
 
+  openpam = callPackage ../development/libraries/openpam { };
+
+  openbsm = callPackage ../development/libraries/openbsm { };
+
   pagemon = callPackage ../os-specific/linux/pagemon { };
 
-  pam = callPackage ../os-specific/linux/pam { };
+  pam = if stdenv.isLinux then linux-pam else openpam;
 
   # pam_bioapi ( see http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader )