ehlo,
New paragraph[1] was added to the section "Removing password with OTP factor
from the PAM stack" in OTP design page.
You can see newly added paragraph in diff[2] or in this mail.
In sssd-1.12, we will remove the password from the PAM stack when OTP is used
to make sure use-cases like gnome-keyring are not broken. We would need more
time for implementation of heuristic and proper testing. Currently, the
krb5_child returns that an OTP was used during authentication (details in
function parse_krb5_child_response). This OTP flag is used just in the
function krb5_auth_done. We will pass OTP flag to the pam responder (sssd_pam)
and from pam responder to the pam client (pam_sss.so). If the pam client
detects that OTP was used it will remove password from auth_token.
LS
[1]
https://fedorahosted.org/sssd/wiki/DesignDocs/OTPRelatedImprovements#Remo...
[2]
https://fedorahosted.org/sssd/wiki/DesignDocs/OTPRelatedImprovements?acti...