A TGT comes from either a password or some other type of identication. Somehow you have to identify the user, whether it’s password, biometrics, or whatever. The process that identifies the user is assumed to create the TGT. Typically sssd handles login, so if you login with a password or some other kind of identification technology, it needs to be supported by sssd /IPA. If it, sssd will create the TGT as a side effect of identifying the user.
Once the TGT is generated at login, if the user goes to another system, e.g. by ssh. ssh or whatever passes the credentials over the connection, so they end up with credentials on the new system. If credentials are generated when the user initially comes into the system, and they are passed every time you go to a new system, then they’ll always be present. Typically when people talk about removing passwords they’re replacing them with some other kind of identification, e.g. biometrics or smart cards. If that’s what you’re doing, then there will need to be support for the type of identification you’re doing in sssd. If that integration is done properly, a ticket will be generated when they identify themselves. The way Kerberos supports one-time passwords, there’s a hook that should allow you to patch in almost any kind of identification technology. To say more we need to understand exactly what you’re using to replace the password. On Apr 4, 2018, at 12:07 PM, Michael Rainey (Contractor, Code 7320) via FreeIPA-users <firstname.lastname@example.org<mailto:email@example.com>> wrote: Greetings, My organization is working to remove the need for passwords for its end-users. While moving forward on this project I have noticed after logging into a system the user is never given a TGT after login. A TGT can be obtained by using kinit and entering a password, but this defeats the purpose eliminating the use of passwords. Is there some guidance I can follow to configure freeIPA to obtain a TGT at login. So far my searches have come up empty. Is this type of configuration handled by SSSD or do I need to configure kerberos? Any guidance is greatly appreciated. Thanks, -- Michael Rainey _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org<mailto:email@example.com> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org>
_______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org