Once the TGT is generated at login, if the user goes to another system, e.g. by ssh. ssh or whatever passes the credentials over the connection, so they end up with credentials on the new system.
If credentials are generated when the user initially comes into the system, and they are passed every time you go to a new system, then they’ll always be present.
Typically when people talk about removing passwords they’re replacing them with some other kind of identification, e.g. biometrics or smart cards. If that’s what you’re doing, then there will need to be support for the type of identification you’re
doing in sssd. If that integration is done properly, a ticket will be generated when they identify themselves.
The way Kerberos supports one-time passwords, there’s a hook that should allow you to patch in almost any kind of identification technology. To say more we need to understand exactly what you’re using to replace the password.
Greetings,
My organization is working to remove the need for passwords for its end-users.
While moving forward on this project I have noticed
after logging into a system the user is never given a TGT after login. A TGT can be obtained by using kinit and
entering a password, but this defeats the purpose eliminating the use of passwords. Is there
some guidance I can follow to configure
freeIPA to obtain a TGT at login. So far my searches have come up empty.
Is this type of configuration handled by SSSD or do I need to configure kerberos?
Any guidance is greatly appreciated.
Thanks,
--
Michael Rainey
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org