Hi all,

I'm looking to implement OTP on FreeIPA, but would prefer not to keep requesting users enter their OTP each login. In fact I get users to add their public key to their profile when adding them to FreeIPA so they can SSH to hosts using SSO auth. In the same way when they connect to a (bastion) jumphost .bashrc checks if they have a valid Kerberos ticket and issues kinit if they don't have one. What I'm after is the following:

• User connects to a jumphost and is prompted for their IPA password and 2FA code on login. Checking for a valid Kerberos ticket in .bashrc works as even if a user does certificate auth to the jumphost the kinit will prompt for a password. Which is fine, as it only happens when there's no valid Kerberos ticket.
• User connects through the jumphost (to other hosts, Kerberos and the client certificate ensures that this is fully SSO as far as user experience goes.
• A user should be prompted for a OTP (once) every 24 hours.

I want to add 2FA to this process, but only for obtaining the Kerberos ticket, not for subsequent logins. So my questions:

• Will adding 2FA break the SSO and prompt a user for a OTP on each connection they make to a host?
• If it does, is it possible to only prompt for a OTP on the first connection made by the user. I trust Kerberos auth for SSO, I just want to add 2FA to obtaining a valid Kerberos ticket.

Maybe I'm over thinking things, but I'd like to have a firm understanding on how 2FA changes things before deploying it.

Thanks,
Djerk Geurts