Hi,
I'm running FreeIPA v4.8.7. I have a requirement that end user systems (not enrolled in FreeIPA) be allowed SSH access on FreeIPA enrolled servers through Kerberos authentication. As of now I'm using user keytabs on the end systems to get a ticket and then authenticate to SSH with GSSAPI.
However, I've run into few issues:
1) I've read about authentication indicators in FreeIPA, how can enforce a policy where the end user is required to enter their password+OTP when authenticating to the web UI? But, OTP remains optional for SSH login. This policy assumes that I've both "Password and Two factor authentication (password + OTP)" set as user authentication method.
2) Probably a long shot, but, is there any way that user keytabs can be generated and retrieved via an API call? I'd like to have some automation so that when a new user is created on the FreeIPA server or a user changes their password, the new resulting keytab can be downloaded on the end user systems via an API call to the JSON RPC endpoint.
Any help is appreciated. Thanks.