From 2ebaaaeb1f9d5b2333a99857fa98a28c5cabbeb7 Mon Sep 17 00:00:00 2001 From: Paul Chen Date: Tue, 7 Oct 2008 08:24:28 +0000 Subject: [PATCH] check yubikey owner when told to --- verifyOTP.php | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/verifyOTP.php b/verifyOTP.php index 81d0c45..df7c577 100644 --- a/verifyOTP.php +++ b/verifyOTP.php @@ -34,15 +34,14 @@ if ($ad == null) { debug($ad); } -//// Check the client ID +//// Check the client ID - does the client own the Yubikey? // -// TODO - This may be too strict. Since our database doesn't keep track of that -//if ($ad['client_id'] != $client) { -// debug('Client-'.$client.' is not the owner of the Yubikey! The key will be suspended with excessive failed attempts.'); -// sendResp(S_BAD_CLIENT, 'Not owner of the Yubikey'); -// exit; -//} +if ($ad['chk_owner'] && $ad['client_id'] != $client) { + debug('Client-'.$client.' is not the owner of the Yubikey!'); + sendResp(S_BAD_CLIENT, 'Not owner of the Yubikey'); + exit; +} $k = b64ToModhex($ad['secret']); //debug('aes key in modhex = '.$k);