On 28/02/2024 17:23, Sam Morris via FreeIPA-users wrote:
Another approach is possible, where you don't configure the authentication indicator requirement on the host/service objects within the directory; instead, the hosts/services are themselves responsible for examining the authentication indicators on the tickets that clients present, and enforcing a policy.
For authentication to hosts, this can be done with pam_sss_gss.so. I've not seen it implemented anywhere else, so for cases such as having Apache check the client's ticket for an 'otp' indicator, I don't think that can be done yet.
Correction: mod_auth_gssapi has a GssapiRequiredNameAttributes directive & it looks like this can be used to require particular auth-indicators attributes on clients' service tickets:
https://github.com/gssapi/mod_auth_gssapi?tab=readme-ov-file#gssapirequiredn...