I’m running KDE 5.24.6 on RHEL 9.1 (with gdm) inside a corporate network. I installed it from EPEL9 and everything seems to work well. We have krb5_use_fast = try in /etc/sssd/sssd.conf. With this configuration, users who were issued a hardware key will be prompted (most of the time…) for their PIN and one-time password from the key, but with the “try” setting, could also be prompted for their password. This seems to be related to the network latency on the system when it talks to our Kerberos servers. For example, when I’m on VPN, I get a password prompt more often than an OTP prompt, etc. We configure the OTP prompt text in a [prompting/2fa] section in sssd.conf.
When my screen locks, I need to enter a credential to unlock it. The prompt text is always “Password”, but my PIN+OTP will unlock the screen most of the time. But since the prompt doesn’t distinguish between Password and OTP Token, I don’t know for sure which one to enter. Is there any way to configure this somewhere?