On Wed, Jun 16 2021 at 07:16:09 PM +0200, Vít Ondruch
<vondruch(a)redhat.com> wrote:
I don't have enrolled my OTP. I am afraid, that once I enroll my
OPT,
I'd need to use it every time to refresh my kerberos ticket. That
would destroy the GOA experience.
The other problem is that once you enroll an OTP, it's not possible to
remove it. Hence, I've been afraid to enable it. I'd like to be able to
change my mind later. I never even considered that g-o-a wouldn't be
able to handle it, but I guess now that it's been pointed out, this
should be pretty obvious. It doesn't have any way to store anything
other than a static password, so of course it would not work. I would
be *very* unhappy had I turned on the OTP, discovered it broke g-o-a,
and then found myself unable to downgrade.
Michael