On Nov 4, 2019, at 11:48 AM, Sumit Bose <sbose@redhat.com> wrote:

Is my assumption that one should be able to ssh to a server and have that server refresh tickets (like on a workstation) a valid one?   If so, where should I concentrate my efforts to get this working?

Hi,

please have a look at the krb5_renew_interval option explained in the
sssd-krb5 man page.

To my knowledge, when SSSD renews tickets, it does so forever, even after the user has logged out. It’s worth making sure people know about that, since it can create an unexpected exposure.