@alessandrodimarco
Can you explaint why this is no option for you? You can name every app password for the user and you can use the Settings → Personal → Security → Devices & sessions for administration the access.
Maybe you can also tell us why you always talk about 2FA. That only makes sense for web access. Do your users use web access or not?
Maybe you can also tell us why you always talk about 2FA. That only makes sense for web access. Do your users use web access or not?
Yes, correct, 2FA makes sense for web access.
Our Nextcloud has a Public IP and exposed to Internet. It is authenticated using LDAP.
What I need is a “simple” method to administer “some” users in a particular group that should only be allowed to access Nextcloud while physically present on the site .
Those users work in rotation in a “pool” of users for each position (say 10 physical employees for one account). Each of them work in turns of few weeks, then go home then back.
a) We don’t want them to access the system when they go home.
b) We can’t have named users (only “role” user)
The way I see it one could probably do it at least with one of the below ways:
1)
Token card / FIDO (management of cards delivery can be complex as the sites are spread all over the world and in the middle of the ocean). So I discarded that.
2)
Access based on “GEO location”. Not sure if this is bullet proof. For now I discarded that.
3)
2FA and blocking certain users from obtaining QR Code with TOTP Secret Key so they can’t put it in their phone at home or on another computer. This way they must be present on the site where a pre-configured custom authenticator is the only one that can generate valid TOTP validation keys. I am going for that.
I am currently able to deactivate the portion that allow users to change their security settings for TOTP in a selected group.
I have a custom totp authenticator that encrypts TOTP keys and uses the correct one based on the current logged user in Windows.
I was thinking to fork the TOTP code but at the moment I am more oriented to create an OCC extension that will allow me to scan users in a particular group, create the TOTP keys, generate a file that I use in the custom authenticator. This would make it easier when upgrades are happening as there’s basically only two files that need to be changed.
I hope I made sense 
I am not an TOTP expert. But maybe you can also use a local webserver (your uses has got no access) and then use e.g. https://github.com/lfkeitel/php-totp . Maybe you can implement in the hidden php code the $secret and then with the webserver the user can get in your office the correct TOTP. You can use e.g. .htaccess to control access to the different folders for each TOTP for different users/groups. But maybe your Windows solution is better.
GeoBlocker (not tested) if you want to allow access with username/password or personalized TOTP for every user (24/7) but deny access from outside your office.
@devnull
Thanks for the links and the time used to discuss my queries.
I like your idea of using an internally accessible only web server to serve as TOTP Validation it would simplify roll-out of the “encrypted” keys database on each client.
On the other end it would flip the complexity of having to support Single Sign On on different browsers (to be able to display the correct validation key for the current logged window user).
Also that works for as long as you have the ability to have a server around. If you are fully cloud based / server less, that’d be more work on the networking side (to make the “local” web server only available to the “sites” but not elsewhere).
You could do all in Javascript too basically I would need something like this but without the Secret Key fields available…
https://totp.danhersam.com/
Geoblocker. Yes, I considered that before. Not really sure how bullet proof it is / easy to bypass. For some reasons I feel more secure with a TOTP.
Yes i also find it in Javascript. But Javascript is client-side and so the user can see the secret. 
Hopefully you can combine Geoblocker and TOTP.
The only security risk are your users. Normally they can not access outside the ip range. With Geoblocker you can give the user TOTP 24/7 e.g. on private smartphone (Google Authenticator). And no that is no security risk with a private smartphone. The smartphone only implements TOTP like a calculator or the PHP/Javascript program. And Google/Apple additional needs the password.
An attacker must hack Geoblocker and TOTP for web access. That’s even two hurdles.
Yes i also find it in Javascript. But Javascript is client-side and so the user can see the secret.
haha yes, if you copy paste that is.
Of course using a small Node server I am silly, but not sooo much
Yes. But then you can also use a small webserver with php.
@alessandrodimarco
The more i think about what you want, the more i like the idea of giving each user their own token (2FA) and restricting access to Nextcloud to 2FA and geolocated to your location. Hopefully it is possible that one “pool” user has got multiple token.
As maybe written above you need 2FA (e.g. TOTP) only for web access. You do not need it for access via apps (e.g. Windows Nextcloud app).
The more i think about what you want, the more i like the idea of giving each user their own token (2FA) and restricting access to Nextcloud to 2FA and geolocated to your location. Hopefully it is possible that one “pool” user has got multiple token.
As maybe written above you need 2FA (e.g. TOTP) only for web access. You do not need it for access via apps (e.g. Windows Nextcloud app).
I have checked this and unfortunately Geolocation isn’t possible for me although it may work for others. My remote sites are “mobile” and they keep moving from one country to another. When they do that they change the remote gateway (they do this every x months).
I would need to keep chasing that…
Hello Everyone,
I have completed all that I needed and it’s working perfectly and it allows me to define devices “some” people can only login into Nextcloud from (depending on group membership)
It also allows me to setup massively 2FA for such users (with a simple command line) so that the secret key is never shared with them and without having users do anything or admin to login to each user one by one to change their settings.
Unfortunately the solution to deactivate the TOTP personal settings is kind of a Hack.
Because I don’t know any better, I ended up commenting all of the code that displays the setting UI from:
/nextcloud/apps/settings/templates/settings/personal/security/twofactor.php
Unfortunately that disables the personal settings for everyone (so if I want to enable this for a portion of users where settings can be “decentralized” hence are allowed to play with them (using the normal 2FA workflow), I can’t.
I tried using the Limit to Groups function inside the App Admin settings but that disables the App entirely for the user (which means they are no longer able to use 2FA).
Does anyone know if there’s a less “hacked” way to control access to a specific Personal Settings section based on Group membership?
Without knowing any better I am guessing this could be done by changing the “PersonalSettingsController”… code…
If you have done it before and willing to share, I would be grateful (I am not a developer, just a hobby for me…)
P.S.: it may sound OT but really it would be needed for anything that needs centralized management of 2FA Keys / Access.
Thank you.
@alessandrodimarco
I think the real problem with the user and group definitions is that you are not using personalized users at all.
Other organizations would most likely use personalized users with e.g. 0 GB quota and group folders. With that, you might get similar results as you. Perhaps there would be better ways to further restrict the personalized users.
I think the real problem with the user and group definitions is that you are not using personalized users at all.
Other organizations would most likely use personalized users with e.g. 0 GB quota and group folders. With that, you might get similar results as you. Perhaps there would be better ways to further restrict the personalized users.
Yes, we spoke about that. The difference is that if were doing what the others were doing we would be paying 10x (or more) than what we pay for role users.
Can’t justify that for 2 php changes that allow me to save that kind of money…
Well unless you have shares of Microsoft
User lisense ist mostly a Microsoft and not a Nextcloud problem. Hopefully you don’t violate Microsoft’s licensing model with your user assignment to user groups anyway. Hopefully you’ve checked that out.
User lisense ist mostly a Microsoft and not a Nextcloud problem. Hopefully you don’t violate Microsoft’s licensing model with your user assignment to user groups anyway. Hopefully you’ve checked that out.
Of course we are not. Those are called “Device CAL” any number of users on a single device.
We order a mix of those to match our scenario (so we are good with Microsoft).
Now, we needed to adjust Nextcloud so that we would not be forced to go to Microsoft and say “we can’t do that anymore, because the other system can’t work with role based users” so in that sense, nextcloud would be involved to the license increase.
But luckily… open source, so you can make the changes (which is the beauty of it).
If I could now be able to hide the personal settings based on Role Membership I would be a happy man