Hide Forgot
Description of problem: Introduce different Kerberos ticket lifetimes depending on authentication method (password/2FA/PKINIT). The goal here is that 2FA is used to secure more critical systems so not only should getting in be harder (require 2FA) but ticket lifetime should be shorter. The Authentication Indicator feature introduced in RHEL 7.3 (Bug 1224057) may be leveraged for this policy.
Some example scenarios. Login to manage systems via a bastion/jump host and gain a kerberos principal that is valid for 8 hours. Initial attempt to sudo to root requires re-validation with 2FA that is valid for 2 hours (outside of DMZ). When attempting to access DMZ systems 2FA is invoked with a lifetime of 1 hour. All sudo attempts within DMZ require 2FA
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6351
Moving this to RHEL 8
This is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1777564 [RFE] Completion authentication indicator policy support that was implemented in RHEL 8.2. *** This bug has been marked as a duplicate of bug 1777564 ***