2FA with krb5

[Ken Hornstein]

>I've been running Privacyidea (https://www.privacyidea.org/) for some
>time to manage the tokens. Exposed the Application with RADIUS and told
>FreeIPA to authenticate against RADIUS. Had some rough edges, but was
>usable for me and is able to manage many kinds of tokens. 

So what's the _client_ look like?  Specifically, are you doing FAST-OTP?
If so, what client software are you using?  Does this only work on
systems with host keys, or do you do anonymous PKINIT?

--Ken