I cannot disable "enforced two-factor authentication"

lucienfradet · July 16, 2024, 4:21pm

Hello,

I have been using a nextcloud instance running in docker for the past 6 months without problem. I recently decided to try the 2fa features using webauth FIDO keys and it was working fine when I set it up.

Weeks later, I realize that some of my connections like the GNOME-desktop sync I was using are not working anymore. I tried creating an app password (to bypass the 2fa) but I get:

`HTTP Error: Unauthorized`

when trying to access the files.
I am now at the point that I just want to disable 2fa enforcement, but it won’t take effect no matter what I do…

I tried doing it in Settings/Administration/Security
Disabling it or adding admin to exempt user etc. nothing works.

I also tried to manually change the config.php file using

`sudo docker exec --user www-data <container ID> php occ config:system:set twofactor_enforced false`

Here is my full config:

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'upgrade.disable-web' => true,
  'instanceid' => 'myid',
  'passwordsalt' => 'passwordsalt',
  'secret' => 'secret',
  'trusted_domains' =>
  array (
    0 => 'my.domain.com',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '29.0.3.4',
  'overwriteprotocol' => 'https',
  'overwrite.cli.url' => 'https://my.domain.com/',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'password',
  'installed' => true,
  'mail_smtpmode' => 'smtp',
  'mail_smtphost' => 'smtp.office365.com',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpport' => '587',
  'mail_from_address' => 'my',
  'mail_domain' => 'email.com',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'my@email.com',
  'mail_smtppassword' => 'password',
  'loglevel' => 2,
  'maintenance' => false,
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' =>
  array (
    0 => 'admin',
  ),
  'twofactor_enforced_excluded_groups' =>
  array (
  ),
  'trusted_proxies' =>
  array (
    0 => '0.0.0.0',
  ),
  'overwritehost' => 'my.domain.com',
  'overwritewebroot' => '/',
  'overwritecondaddr' => '^XXX\\.XXX\\.X\\.XXX$',
);

The logs don’t really show anything useful…

This is my nginx reverse proxy config:

server {
        server_name my.domain.com;

        # Strict-Transport-Security
        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";

        location / {
                proxy_pass http://0.0.0.0:0$request_uri; #nextcloud

                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Port $server_port;
                proxy_set_header X-Forwarded-Scheme $scheme;
                proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Accept-Encoding "";
                proxy_set_header Host $host;

                client_body_buffer_size 512k;
                proxy_read_timeout 86400s;
                client_max_body_size 0;

                # Websocket
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
        }


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

here are some nginx logs when failing to connect using dav:

0.0.0.0 - - [16/Jul/2024:15:59:47 +0000] "GET /remote.php/webdav/ HTTP/1.1" 401 414 "-" "-"
0.0.0.0 - user [16/Jul/2024:15:59:48 +0000] "GET /remote.php/webdav/ HTTP/1.1" 200 122 "-" "-"
0.0.0.0 - - [16/Jul/2024:15:59:48 +0000] "OPTIONS /remote.php/webdav HTTP/1.1" 401 414 "-" "gvfs/1.48.2"
10.0.0.0 - user [16/Jul/2024:15:59:48 +0000] "OPTIONS /remote.php/webdav HTTP/1.1" 401 299 "-" "gvfs/1.48.2"

I tried disabling the webauth 2fa app I have installed on my nextcloud, but then, the login page prompts me for backup codes and tells me that 2fa is enforced. (even thought it shows false in the config and admin settings)
I created a new account on my nextcloud and that account doesn’t require 2fa as it seems to read from the config corectly.

I wonder if there is a cached version of the config that prevents changes to take effect for my main account…

Steps to replicate it:

Create a nextcloud admin account without 2fa
Enforced 2fa logins
Install 2fa app and get backup codes
Disable 2fa logins

I am at a lost here.

ernolf · July 16, 2024, 4:27pm

Those configuration settings do not exist. Where did you find that?
At least I never heard about it.

You could have find → this ← with the search function!

You should use

occ twofactorauth:enforce --off

Or you can do it in the webfrontend like described in → the manual ←

I hope this is what you where looking for.

ernolf

lucienfradet · July 16, 2024, 5:46pm

My config was automatically generated when I used docker compose with this file:

volumes:
  nextcloud:
  db:

services:
  db:
    image: mariadb:10.6
    restart: always
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb-file-per-table=1 --skip-innodb-read-only-compressed

    volumes:
      - db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud

  app:
    image: nextcloud
    restart: always
    ports:
      - 0000:80
    links:
      - db
    volumes:
      - /home/data/nextcloud:/var/www/html
    environment:
      - MYSQL_PASSWORD=${MYSQL_ROOT_PASSWORD} #change this to match the mysql_password above
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=db

it’s been 6 months, I can’t remember the tutorial I followed. I think it is obvious that I am a beginner lol

for the cli command, I found it here

lucienfradet · July 16, 2024, 5:57pm

I was able to fix it thanks to the links you provided me!
I don’t quite get why I found the other commands while doing my research.
I’m also not sure why the GUI settings weren’t working but here are the CLI commands that fixed my problem:

sudo docker exec -u www-data <container id> php occ twofactorauth:enforce --off

sudo docker exec -u www-data <container id> php occ twofactorauth:state <uid>

<output:>
Two-factor authentication is enabled for user <uid>

Enabled providers:
- backup_codes
- webauthn

sudo docker exec -u www-data <container id> php occ twofactorauth:disable <uid> webauthn

Thanks for the help!

system · July 24, 2024, 5:57pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.