diff --git a/plist b/plist
index fca97f71d..df90e4410 100644
--- a/plist
+++ b/plist
@@ -134,6 +134,7 @@
 /usr/local/etc/rc.syshook.d/stop/90-backup
 /usr/local/etc/rc.syshook.d/stop/99-config
 /usr/local/etc/ssl/opnsense.cnf
+/usr/local/libexec/opnsense-auth
 /usr/local/opnsense/contrib/IXR/IXR_Library.php
 /usr/local/opnsense/contrib/base32/Base32.php
 /usr/local/opnsense/contrib/google-api-php-client/Google/Auth/Abstract.php
diff --git a/src/Makefile b/src/Makefile
index ce78aa5da..5e842fbdd 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -1,4 +1,4 @@
-TREES=		etc man opnsense root sbin wizard www
+TREES=		etc libexec man opnsense root sbin wizard www
 ROOT=		/usr/local
 ROOT_man=	/usr/local/share
 ROOT_root=	/
diff --git a/src/libexec/opnsense-auth b/src/libexec/opnsense-auth
new file mode 100755
index 000000000..66468db34
--- /dev/null
+++ b/src/libexec/opnsense-auth
@@ -0,0 +1,82 @@
+#!/usr/local/bin/php
+<?php
+
+/**
+ *    Copyright (C) 2016-2019 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+require_once("config.inc");
+require_once("auth.inc");
+
+
+// parse received auth data (key=value combinations separated by "\0")
+//  user=<name>
+//  password=<password>
+//  service=<pam service>
+
+$fp = fopen('php://stdin', 'r');
+$auth_data = array();
+$line = '';
+
+while (($char = fgetc($fp)) !== false) {
+    if ($char !== "\0") {
+        $line .= $char;
+    } elseif (strlen($line)) {
+        $parts = explode('=', $line, 2);
+        if (count($parts) == 2) {
+            $auth_data[$parts[0]] = $parts[1];
+        }
+        $line = '';
+    } else {
+        break;
+    }
+}
+
+$is_authenticated = false;
+$exit_status = -1;
+
+if (!empty($auth_data['user']) && isset($auth_data['password'])) {
+    $authFactory = new \OPNsense\Auth\AuthenticationFactory();
+    $is_authenticated = $authFactory->authenticate($auth_data['service'], $auth_data['user'], $auth_data['password']);
+    if ($is_authenticated) {
+        syslog(LOG_NOTICE, sprintf(
+            "user %s authenticated successfully for %s\n", $auth_data['user'], $auth_data['service']
+        ));
+        $exit_status = 0;
+    } else {
+        if (getUserEntry($auth_data['user']) === false) {
+            // signal user unknown, so PAM may consider other options
+            $exit_status = 2;
+        }
+        syslog(LOG_WARNING, sprintf(
+            "user %s could not authenticate for %s.\n", $auth_data['user'], $auth_data['service']
+        ));
+    }
+}
+
+closelog();
+exit($exit_status);
diff --git a/src/sbin/opnsense-auth b/src/sbin/opnsense-auth
deleted file mode 100755
index 66468db34..000000000
--- a/src/sbin/opnsense-auth
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/usr/local/bin/php
-<?php
-
-/**
- *    Copyright (C) 2016-2019 Deciso B.V.
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-require_once("config.inc");
-require_once("auth.inc");
-
-
-// parse received auth data (key=value combinations separated by "\0")
-//  user=<name>
-//  password=<password>
-//  service=<pam service>
-
-$fp = fopen('php://stdin', 'r');
-$auth_data = array();
-$line = '';
-
-while (($char = fgetc($fp)) !== false) {
-    if ($char !== "\0") {
-        $line .= $char;
-    } elseif (strlen($line)) {
-        $parts = explode('=', $line, 2);
-        if (count($parts) == 2) {
-            $auth_data[$parts[0]] = $parts[1];
-        }
-        $line = '';
-    } else {
-        break;
-    }
-}
-
-$is_authenticated = false;
-$exit_status = -1;
-
-if (!empty($auth_data['user']) && isset($auth_data['password'])) {
-    $authFactory = new \OPNsense\Auth\AuthenticationFactory();
-    $is_authenticated = $authFactory->authenticate($auth_data['service'], $auth_data['user'], $auth_data['password']);
-    if ($is_authenticated) {
-        syslog(LOG_NOTICE, sprintf(
-            "user %s authenticated successfully for %s\n", $auth_data['user'], $auth_data['service']
-        ));
-        $exit_status = 0;
-    } else {
-        if (getUserEntry($auth_data['user']) === false) {
-            // signal user unknown, so PAM may consider other options
-            $exit_status = 2;
-        }
-        syslog(LOG_WARNING, sprintf(
-            "user %s could not authenticate for %s.\n", $auth_data['user'], $auth_data['service']
-        ));
-    }
-}
-
-closelog();
-exit($exit_status);
diff --git a/src/sbin/opnsense-auth b/src/sbin/opnsense-auth
new file mode 120000
index 000000000..3dfd30123
--- /dev/null
+++ b/src/sbin/opnsense-auth
@@ -0,0 +1 @@
+../libexec/opnsense-auth
\ No newline at end of file