RandyParedis

Thank you for helping! On the client side (from WSL), all I get is: ``` $> ssh USER@DOMAIN@SERVER_IP MY VERY FUNNY BANNER TEXT HERE == Broker selection == 1 -...

My PAM config is as follows: #### /etc/pam.d/gdm-authd ``` #%PAM-1.0 auth [success=ok user_unknown=ignore default=bad] pam_succeed_if.so user != root quiet_success auth [success=1 ignore=ignore default=die] pam_authd.so # If authd ignored the request...

> > Surprisingly, this time I got a QR code in the terminal, which does not show through ssh.. > > Yeah, that's expected: Sadly we can't reliably support qr...

> As per the pamtester before, I've updated the comment to make clear that you should use an actual user name there and not mine 😄. So test that again...

I get the following error when using SSH (after changing `/etc/pam.d/common-account`): ``` Can't set default broker ("2102147668") for "USER@DOMAIN": can't set default broker "2102147668" for user "USER@DOMAIN": no result matching...

So, after a lot of headscratching, it turns out that my issue is caused by a case mismatch in PAM. When I use a lowercase username, I get the problems...

@adombeck I am sorry for a late response; somehow I did not get notified of any comments... The OIDC solution does seem like a viable solution for my use case....

Thanks! I would not know where to start with a PR for this, so... I guess I will wait 😅 Cheers!

@adombeck @3v1n0 Come to think of it, there might be another solution which (I hope) could be easier to implement... Would it be possible (for instance in the PAM, or...

@adombeck No worries for the delay. Thanks for explaining. I indeed still have the use-case, for which my bypass currently is a piece of paper that instructs the users to...