Adding the possibility to use SSSD for user lookups against a FreeIPA Directory and supporting Kerberos for Single-Sign-On Purposes seem to be meaningfull feature.
I have prepared an initial implementation of FreeIPA and Kerberos support. It allows to define global Kerberos configuration (Keytabs for host and service principals) and to use one or multiple FreeIPA domains through SSSD. The current implementation does not add SSSD to the common PAM configuration, as this would probably allow all directory users administrative access to the VyOS system.
The feature is intended to be used for Single-Sign-On functions of supported services, e.g. ocserv, which is capable of performing PAM authentication combined with Kerberos GSSAPI. Another service that could be implemented is the certmonger daemon, to have CSRs signed by a FreeIPA PKI.