diff --git a/Cargo.toml b/Cargo.toml
index 3f3db69c..eccfc274 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -61,7 +61,6 @@ native-tls = "0.2"
 nix = "0.26.1"
 once_cell = "1.3.1"
 openssl = "0.10"
-pam = "0.7"
 pam-sys = "0.5"
 percent-encoding = "2.1"
 pin-utils = "0.1.0"
diff --git a/proxmox-auth-api/Cargo.toml b/proxmox-auth-api/Cargo.toml
index f9d07e6e..f0abdc67 100644
--- a/proxmox-auth-api/Cargo.toml
+++ b/proxmox-auth-api/Cargo.toml
@@ -21,7 +21,6 @@ libc = { workspace = true, optional = true }
 log = { workspace = true, optional = true }
 http = { workspace = true, optional = true }
 openssl = { workspace = true, optional = true }
-pam = { workspace = true, optional = true }
 pam-sys = { workspace = true, optional = true }
 percent-encoding = { workspace = true, optional = true }
 regex = { workspace = true, optional = true }
@@ -50,4 +49,4 @@ api = [
     "dep:proxmox-router",
     "dep:proxmox-tfa",
 ]
-pam-authenticator = [ "api", "dep:libc", "dep:log", "dep:pam", "dep:pam-sys" ]
+pam-authenticator = [ "api", "dep:libc", "dep:log", "dep:pam-sys" ]
diff --git a/proxmox-auth-api/debian/control b/proxmox-auth-api/debian/control
index 7c8d1af0..b07ef43c 100644
--- a/proxmox-auth-api/debian/control
+++ b/proxmox-auth-api/debian/control
@@ -90,7 +90,6 @@ Depends:
  librust-proxmox-auth-api+api-dev (= ${binary:Version}),
  librust-libc-0.2+default-dev (>= 0.2.107-~~),
  librust-log-0.4+default-dev (>= 0.4.17-~~),
- librust-pam-0.7+default-dev,
  librust-pam-sys-0.5+default-dev
 Provides:
  librust-proxmox-auth-api-0+pam-authenticator-dev (= ${binary:Version}),
diff --git a/proxmox-auth-api/src/pam_authenticator.rs b/proxmox-auth-api/src/pam_authenticator.rs
index 6e2ce1d2..745b13ef 100644
--- a/proxmox-auth-api/src/pam_authenticator.rs
+++ b/proxmox-auth-api/src/pam_authenticator.rs
@@ -25,10 +25,33 @@ impl crate::api::Authenticator for Pam {
         password: &'a str,
     ) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
         Box::pin(async move {
-            let mut auth = pam::Authenticator::with_password(self.service).unwrap();
-            auth.get_handler()
-                .set_credentials(username.as_str(), password);
-            auth.authenticate()?;
+            let mut password_conv = PasswordConv {
+                login: username.as_str(),
+                password,
+            };
+
+            let conv = pam_sys::types::PamConversation {
+                conv: Some(conv_fn),
+                data_ptr: &mut password_conv as *mut _ as *mut c_void,
+            };
+
+            let mut handle = std::ptr::null_mut();
+            let err =
+                pam_sys::wrapped::start(self.service, Some(username.as_str()), &conv, &mut handle);
+            if err != PamReturnCode::SUCCESS {
+                bail!("error opening pam - {err}");
+            }
+            let mut handle = PamGuard {
+                handle: unsafe { &mut *handle },
+                result: PamReturnCode::SUCCESS,
+            };
+
+            handle.result =
+                pam_sys::wrapped::authenticate(handle.handle, pam_sys::types::PamFlag::NONE);
+            if handle.result != PamReturnCode::SUCCESS {
+                bail!("authentication error - {err}");
+            }
+
             Ok(())
         })
     }