From 5f7d7964de5233705c7d50a3164e135c2007f7bc Mon Sep 17 00:00:00 2001
From: Gabriel Kihlman <g.kihlman@yubico.com>
Date: Mon, 4 Feb 2019 10:25:31 +0100
Subject: [PATCH] Ensure that the debug log always outputs a valid OTP and not
 an accidental password

Fixes issue #184
---
 pam_yubico.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/pam_yubico.c b/pam_yubico.c
index 09f1b56..705bf98 100644
--- a/pam_yubico.c
+++ b/pam_yubico.c
@@ -1183,8 +1183,6 @@ pam_sm_authenticate (pam_handle_t * pamh,
   /* Copy only public ID into otp_id. Destination buffer is zeroed. */
   strncpy (otp_id, password + skip_bytes, cfg->token_id_length);
 
-  DBG ("OTP: %s ID: %s ", otp, otp_id);
-
   /* user entered their system password followed by generated OTP? */
   if (password_len > TOKEN_OTP_LEN + cfg->token_id_length)
     {
@@ -1219,6 +1217,7 @@ pam_sm_authenticate (pam_handle_t * pamh,
   switch(valid_token)
     {
     case AUTH_FOUND:
+      DBG ("OTP: %s ID: %s ", otp, otp_id);
       DBG ("Token is associated to the user. Validating the OTP...");
       rc = ykclient_request (ykc, otp);
       DBG ("ykclient return value (%d): %s", rc, ykclient_strerror (rc));