A TGT comes from either a password or some other type of identication. Somehow 
you have to identify the user, whether it’s password, biometrics, or whatever. 
The process that identifies the user is assumed to create the TGT. Typically 
sssd handles login, so if you login with a password or some other kind of 
identification technology, it needs to be supported by sssd /IPA. If it, sssd 
will create the TGT as a side effect of identifying the user.

Once the TGT is generated at login, if the user goes to another system, e.g. by 
ssh. ssh or whatever passes the credentials over the connection, so they end up 
with credentials on the new system.

If credentials are generated when the user initially comes into the system, and 
they are passed every time you go to a new system, then they’ll always be 

Typically when people talk about removing passwords they’re replacing them with 
some other kind of identification, e.g. biometrics or smart cards. If that’s 
what you’re doing, then there will need to be support for the type of 
identification you’re doing in sssd. If that integration is done properly, a 
ticket will be generated when they identify themselves.

The way Kerberos supports one-time passwords, there’s a hook that should allow 
you to patch in almost any kind of identification technology. To say more we 
need to understand exactly what you’re using to replace the password.

On Apr 4, 2018, at 12:07 PM, Michael Rainey (Contractor, Code 7320) via 


My organization is working to remove the need for passwords for its end-users.  
While moving forward on this project I have noticed after logging into a system 
the user is never given a TGT after login.  A TGT can be obtained by using 
kinit and entering a password, but this defeats the purpose eliminating the use 
of passwords.  Is there some guidance I can follow to configure freeIPA to 
obtain a TGT at login.  So far my searches have come up empty.

Is this type of configuration handled by SSSD or do I need to configure 

Any guidance is greatly appreciated.

Michael Rainey

FreeIPA-users mailing list -- 
To unsubscribe send an email to 

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to