From e87bf491f72d7176be9c6f35732597f7e1434799 Mon Sep 17 00:00:00 2001 From: Paul Chen Date: Wed, 24 Sep 2008 01:52:08 +0000 Subject: [PATCH] loosen the client checking, will make it optional --- verifyOTP.php | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/verifyOTP.php b/verifyOTP.php index 8b4ca2e..212b884 100644 --- a/verifyOTP.php +++ b/verifyOTP.php @@ -45,11 +45,13 @@ if ($ad == null) { //// Check the client ID // -if ($ad['client_id'] != $client) { - debug('Client-'.$client.' is not the owner of the Yubikey! The key will be suspended with excessive failed attempts.'); - sendResp(S_BAD_CLIENT, 'Not owner of the Yubikey'); - exit; -} +// TODO - This may be too strict. Since our database doesn't keep track of that + +//if ($ad['client_id'] != $client) { +// debug('Client-'.$client.' is not the owner of the Yubikey! The key will be suspended with excessive failed attempts.'); +// sendResp(S_BAD_CLIENT, 'Not owner of the Yubikey'); +// exit; +//} $k = b64ToModhex($ad['secret']); //debug('aes key in modhex = '.$k);