(no title)

users with totp tokens can kinit using their password+totp in the password field. better still, if you use PAM for all your services, you you can define hbac rules allowing users access to specific services on specific hosts.

the caveat is that the freeipa servers must be available to provide authorization even once the ticket is issued. with x509, the authenticating host doesn't need to rely on a server for anything but CRL checks