New paragraph was added to the section "Removing password with OTP factor
from the PAM stack" in OTP design page.
You can see newly added paragraph in diff or in this mail.
In sssd-1.12, we will remove the password from the PAM stack when OTP is used
to make sure use-cases like gnome-keyring are not broken. We would need more
time for implementation of heuristic and proper testing. Currently, the
krb5_child returns that an OTP was used during authentication (details in
function parse_krb5_child_response). This OTP flag is used just in the
function krb5_auth_done. We will pass OTP flag to the pam responder (sssd_pam)
and from pam responder to the pam client (pam_sss.so). If the pam client
detects that OTP was used it will remove password from auth_token.