OTP's able to be used on servers other than the one specified

Using the GUI, I try to generate an OTP for a specific IP. The OTP generates, however, penetration testers were able to use the OTP against a different IP address. Is this by design? I was under the impression OTP’s were only useable against the IP’s you enter in the IP field.

I have been working with Tyler on this.
We are using the Vault-SSH-Helper with the SSH Secrets Engine to create One Time Passwords for SSH logins to Linux machines. We have found that the OTP can be used on a different IP than the one designated on the writing of the OTP credential.

For anyone else who finds this in the future, this appears to a bug in the version of Vault SSH Helper we were using that was fixed in 0.2.0

validateIP function does restrict to a single IP · Issue #47 · hashicorp/vault-ssh-helper (github.com)