Makes sense, I'll do that from now on.
I think I just have a PAM issue or SSSD misconfiguration, as I decided to replace
'auth [success=1 default=ignore] pam_sss.so use_first_pass'
with
'auth [success=1 default=ignore] pam_sss.so require_cert_auth'
To force SmartCard Auth on a tty1 login. The effect this has only limits the system login
to the PRESENCE of a smartcard, and not seemingly comparing the Certificates, but it does
grab a Kerberos ticket.