I'm using Keycloak (version 26.1.0) as my identity provider for web applications and want to extend this to authenticate users logging into Ubuntu 24.04 workstations. I've successfully configured zhaow-de/pam-keycloak-oidc and datajoint-company/pam-oauth2 to connect to my Keycloak server. However, I've hit a roadblock. Keycloak authentication only succeeds if a local user account with the same username already exists on the Ubuntu system. If the local account doesn't exist, the login fails, even though Keycloak itself authenticates the user. This is true for both pam-keycloak-oidc and pam-oauth2. I've discovered that creating a local user (with any password) before attempting the Keycloak login resolves the issue. This suggests the PAM modules are checking for a local user before even attempting to establish a session. My goal is to have home directories and user accounts dynamically created for Keycloak-authenticated users on their first login. I've attempted to use pam_mkhomedir.so in /etc/pam.d/common-auth to achieve this, but my analysis indicates that authentication fails before the session initialization stage where pam_mkhomedir.so would be invoked. I'm dubtful about modifying PAM config in the file /etc/pam.d/common-auth? Is that the correct file, or should I instead be configuring PAM in /etc/pam.d/sshd (or another file)? Any guidance on the correct PAM configuration to allow dynamic user creation for Keycloak-authenticated users would be greatly appreciated. I'm particularly interested in the proper order of PAM modules and how to ensure 1st user logins from IdP and automatic creation of their home directories. EDIT ---- Adding relevant lines of nsswitch.conf: passwd: files systemd sss group: files systemd sss shadow: files systemd sss gshadow: files systemd

Does any one have a complete configuration of using Dovecot to handle OAuth2 tokens to allow Postfix to send mail to gmail? Most use cases found are either too old or not complete. I have done the required steps from the google api and received a credential in json format. Thanks in advance, Dean

I need to add an repository that requires OAuth 2.0 authentication so I've got to pass it an access token. One of idea is to write it as a query parameter or as Basic Auth password in /etc/apt/sources.list file:

deb http://oauthrepourl.com?accesstoken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9  suite classic

OR

deb http://somelogin:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9@oauthrepourl.com  suite classic

But I guess it would be unsecure to keep an access token there because sources.list and sources.list.d files are accessible to read for all users:

-rw-rw-r-- 1 root root  2852 апр 24 13:41 sources.list
drwxr-xr-x 2 root root  4096 сен 25 10:17 sources.list.d

Would it be a bad idea to make sources.list and sources.list.d content only accessible for root user (-rwx------)? You can use apt anyway as a root (as it has to be though) and usual users would not be able to stole the access token from these files. P.S. I know there's an file /etc/apt/auth.conf that would help to keep it in secret but it seems my distribution's apt is too old and does not support it.

We have in company authentication server with support of OAuth 2 protocol.
We are thinking about ftp repository. Could it be possible to configure ftp repository/server so that we could provide files only for users from authentication server (these users are not in local /etc/passwd list). And each user should see only files assigned to him ? Thank you for any notice, how to solve this or if it is possible.

Since last week oauth2 just stopped working. It did a while before and healed itself mysteriously and I am eager to find out what is happening here. I installed thunderbird for reference and it is working — receiving and sending emails is possible with oauth2. I have an MS Office account and configured the authentication making use of mutt_oauth2.py script linked in the docs following the steps outlined in the README . Running the script manually yields a token. Testing suggests, imap and smtp communication is basically working (the script seems to log in successfully if I am correct).

/home/me/bin/mutt_oauth2.py /home/me/.neomutt/token --provider microsoft --verbose --test
[…]
IMAP authentication succeeded
POP authentication succeeded
SMTP authentication succeeded

And neomutt was working as well – however stopped to do so a few days ago. Logs tell

[2023-06-18 10:35:17] mutt_socket_write_d() 4> c0000 CAPABILITY
[2023-06-18 10:35:17] mutt_socket_readln_d() 4 cmd_parse_capability() Handling CAPABILITY
[2023-06-18 10:35:17] cmd_parse_capability()  Found capability "IMAP4": 0
[2023-06-18 10:35:17] cmd_parse_capability()  Found capability "IMAP4rev1": 1
[2023-06-18 10:35:17] cmd_parse_capability()  Found capability "AUTH=XOAUTH2": 9
[2023-06-18 10:35:17] cmd_parse_capability()  Found capability "SASL-IR": 13
[2023-06-18 10:35:17] cmd_parse_capability()  Found capability "IDLE": 12
[2023-06-18 10:35:17] cmd_parse_capability()  Found capability "NAMESPACE": 4
[2023-06-18 10:35:17] mutt_socket_readln_d() 4 imap_cmd_step() IMAP queue drained
[2023-06-18 10:35:17] imap_authenticate() Trying user-defined imap_authenticators
[2023-06-18 10:35:17] imap_authenticate() Trying method oauthbearer
[2023-06-18 10:35:17] mutt_sasl_client_new() SASL local ip: 2001:db8::1;38986, remote ip:2001:db8::2;993
[2023-06-18 10:35:17] mutt_sasl_client_new() External SSF: 256
[2023-06-18 10:35:17] mutt_sasl_cb_log() SASL: No worthy mechs found
[2023-06-18 10:35:17] imap_auth_sasl() oauthbearer unavailable
[2023-06-18 10:35:17] imap_authenticate() Trying method xoauth2
[2023-06-18 10:35:17] imap_auth_oauth_xoauth2() Authenticating (XOAUTH2)...
[2023-06-18 10:35:17] msgwin_recalc() recalc done, request WA_REPAINT
[2023-06-18 10:35:17] msgwin_repaint() repaint done
[2023-06-18 10:35:17] ibar_recalc() recalc done, request WA_REPAINT
[2023-06-18 10:35:17] helpbar_repaint() repaint done
[2023-06-18 10:35:17] menu_repaint() repaint done
[2023-06-18 10:35:17] ibar_repaint() repaint done
[2023-06-18 10:35:17] mutt_account_getoauthbearer() OAUTH token is too big: 2304
[2023-06-18 10:35:17] msgwin_recalc() recalc done, request WA_REPAINT
[2023-06-18 10:35:17] msgwin_repaint() repaint done
[2023-06-18 10:35:17] mutt_sasl_client_new() SASL local ip: 2001:db8::1;38986, remote ip:2001:db8::2;993
[2023-06-18 10:35:17] mutt_sasl_client_new() External SSF: 256
[2023-06-18 10:35:17] mutt_sasl_client_new() External authentication name: karl.liebich@ida.me
[2023-06-18 10:35:17] mutt_sasl_cb_authname() getting authname for outlook.office365.com:993
[2023-06-18 10:35:17] imap_auth_sasl() xoauth2 unavailable
[2023-06-18 10:35:17] imap_authenticate() No authenticators available or wrong credentials

- libsasl2 related packages have last been updated in March so there was no change. - Neither was in my neomutt configuration or password. - The OAUTH token is too big: 2304 message is known and did not have any impact in the past. --- Any hints on how to debug this any further and what to do about it?

I am using mutt with outlook365 which has OAuth2 support. I generated an access token which is checked by the following lines in my muttrc:

set imap_authenticators = "xoauth2"
set imap_oauth_refresh_command = "~/.config/neomutt/mutt_oauth2.py ~/.config/neomutt/mytoken.token"
set smtp_authenticators = ${imap_authenticators}
set smtp_oauth_refresh_command = ${imap_oauth_refresh_command}

Where mutt_oauth2.py is the script provided by mutt , and mytoken.token is a GPG encrypted token generated accordingly. My issue is that I have settings in my gpg-agent.conf for limited time caching of my gpg password for security reasons. If this times out and I try to send an email I am confronted with Authenticating (XOAUTH2)... followed by No authenticators available, and the email will not send. If I input my gpg password elsewhere on the system for other purposes (via pinentry-curses) and then try to send again the authentication works fine as the password is now (temporarily) in the cache. So my question is why does mutt not prompt me for my gpg password when trying to send, and how can I make it so that it does? Thanks in advance.