I locked myself out

Hi,

I installed Nextcloud 15 on one of my servers and everything went well. After the installation I decided to change a few settings. One of the settings was “Require F2A”. Now After a re-login I get the message to contact a admin because I didn’t add a F2A device.

Lucky enough, I still have access to the CLI (centos 7). Can I edit this setting here that I made on the GUI?

You can try to generate an OTP:

sudo -u www-data ./occ twofactorauth:admin:generate-code leonida

where “leonida” is the user ID for which a one-time login could shall be generated. See https://nextcloud-twofactor-admin.readthedocs.io/en/latest/Admin%20Documentation/

then clear brower cache or use another browser and try a login

or you can try to disable 2FA:

sudo -u www-data ./occ twofactorauth:disable

Thanks for your reply.

The command seems to deactivate the F2A settings for a user and that is not where I’m looking for. I’m searching for a way to disable the global “force F2A” setting.

Could be an option, will try it.

if you still have problems with 2FA you can try to disable the app

sudo -u www-data php occ app:enable twofactor_totp

you mean app:disable, right?

Thanks for all the help.

The command sudo -u apache php occ twofactorauth:enforce --off did the trick.

Please note that this command now requires the provider ID and requires the provider to support that. This is necessary due to the fact that Nextcloud now keeps track of which providers are enabled/disabled and thus we have to also give providers feedback if the state changes to prevent inconsistencies. The documentation was updated accordingly.

Hey @cronus,

I’m happy you could log into your system again.

To understand the issue better and possibly prevent this for other users I would like some feedback. Did you see the “Two-factor authentication can be enforced for all users and specific groups. If they do not have a two-factor provider configured, they will be unable to log into the system.” message before you clicked the checkbox and enforced 2FA?

FYI I tracked this issue at https://github.com/nextcloud/server/issues/12267. Nextcloud 16 might have an additional check for this case.

2 Likes

I wasn’t sure about that. The sentence sounded more like users without 2FA can’t login and admin’s don’t have any problems.

I would prefer a system where a user without 2FA would need to setup 2FA on first time login.

This is tracked at https://github.com/nextcloud/server/issues/12268.

1 Like