Hello, I configured MIT Krb5-1.18.3 KDC to use FAST OTP with authentication indicator "*strong*". $ cat kdc.conf ... [otp]         softid = {                 server = 192.168.0.68:1812                 secret = /etc/.radius.secret                 strip_realm = true                 indicator = strong                 #timeout = <integer> (default: 5 [seconds])                 #retries = <integer> (default: 3)         } The kerberos Realm "DNS.PODMAN" has only two "otp" principals, *alice* and *bob.* $ kadmin.local getstrs alice otp: [{"type":"softid"}] $ kadmin.local getstrs bob otp: [{"type":"softid"} Alice's password was purged with the command kadmin.local purgekeys -all alice On the sssd host (RHEL 7.9), sssd service uses the following configuration file [sssd] domains = DNS.PODMAN services = nss,pam,ssh config_file_version = 2 debug_level = 9 [nss] filter_users = root filter_groups = root reconnection_retries = 3 entry_cache_nowait_percentage = 75 debug_level = 9 [pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 [domain/DNS.PODMAN] debug_level = 0x04000 id_provider = ldap ldap_uri = ldaps://kerb.dns.podman:636/ ldap_search_base = dc=dns,dc=podman ldap_schema = rfc2307bis ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca.crt ldap_sasl_mech = gssapi ldap_sasl_authid = sssd/sssd.dns.podman ldap_krb5_keytab = /etc/sssd/sssd.keytab ldap_krb5_init_creds = true ldap_krb5_ticket_lifetime = 86400 ldap_user_search_base = ou=people,dc=dns,dc=podman ldap_user_object_class = posixAccount ldap_group_search_base = ou=groups,dc=dns,dc=podman ldap_group_object_class = groupOfNames ldap_group_gid_number = gidNumber ldap_group_member = member auth_provider = krb5 krb5_server = kerb.dns.podman krb5_realm = DNS.PODMAN cache_credentials = true krb5_keytab = /etc/krb5.keytab krb5_use_fast = try krb5_fast_principal = host/sssd.dns.podman min_id = 10000 max_id = 20000 #enumerate = False enumerate = True [ssh] debug_level = 9 # klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- --------------------------------------------------------------------------    2 host/sssd.dns.podman(a)DNS.PODMAN    2 host/sssd.dns.podman(a)DNS.PODMAN    2 host/sssd.dns.podman(a)DNS.PODMAN    2 host/sssd.dns.podman(a)DNS.PODMAN    2 host/sssd.dns.podman(a)DNS.PODMAN    2 host/sssd.dns.podman(a)DNS.PODMAN The service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value. $ kadmin getstrs host/sssd.dns.podman require_auth: strong When ssh to the sssd host with *alice* account, authentication using otp is working fine [root@client /]# ssh alice@sssd alice@sssd's password: <otp value> Last login: Sat Dec 19 19:06:36 2020 from client.dns.podman [alice@sssd ~] However, if I ssh to the sssd host with *bob* account, I can login with bob's password even if the service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value [root@client /]# ssh bob@sssd bob@sssd's password: <bob's password> Last login: Mon Dec 21 19:05:03 2020 from client.dns.podman [bob@sssd ~]$ 1. Why password authentication for bob principal succeeded while authentication indicator is "strong" ? 2. Is it possible to configure sssd to enforce "otp" authentication ?