Hello again list,
Is it possible to differentiate between a kerberos ticket that was granted with OTP vs one that would not (for the purpose of requiring it for `ipa some-privileged command` )
Aim: Protect servers with OTP but not always require it for workstations. But to require OTP for the privilege that ipa commands afford powerful users from their workstation.
Other potential avenues (full admission - less research performed) - I'd be interested in would be periodic requirements for OTP, but not for say screen unlock events.