I locked myself out

cronus · January 27, 2019, 8:44am

Hi,

I installed Nextcloud 15 on one of my servers and everything went well. After the installation I decided to change a few settings. One of the settings was “Require F2A”. Now After a re-login I get the message to contact a admin because I didn’t add a F2A device.

Lucky enough, I still have access to the CLI (centos 7). Can I edit this setting here that I made on the GUI?

amarillo · January 27, 2019, 10:53am

You can try to generate an OTP:

sudo -u www-data ./occ twofactorauth:admin:generate-code leonida

where “leonida” is the user ID for which a one-time login could shall be generated. See https://nextcloud-twofactor-admin.readthedocs.io/en/latest/Admin%20Documentation/

then clear brower cache or use another browser and try a login

or you can try to disable 2FA:

sudo -u www-data ./occ twofactorauth:disable

cronus · January 27, 2019, 11:08am

Thanks for your reply.

The command seems to deactivate the F2A settings for a user and that is not where I’m looking for. I’m searching for a way to disable the global “force F2A” setting.

amarillo:

You can try to generate an OTP:
sudo -u www-data ./occ twofactorauth:admin:generate-code leonida
where “leonida” is the user ID for which a one-time login could shall be generated. See Admin Documentation - Nextcloud 2FA Admin Support

Could be an option, will try it.

amarillo · January 27, 2019, 11:32am

if you still have problems with 2FA you can try to disable the app

sudo -u www-data php occ app:enable twofactor_totp

dev0 · January 27, 2019, 11:36am

you mean app:disable, right?

cronus · January 27, 2019, 2:56pm

Thanks for all the help.

The command sudo -u apache php occ twofactorauth:enforce --off did the trick.

ChristophWurst · January 28, 2019, 7:19am

Please note that this command now requires the provider ID and requires the provider to support that. This is necessary due to the fact that Nextcloud now keeps track of which providers are enabled/disabled and thus we have to also give providers feedback if the state changes to prevent inconsistencies. The documentation was updated accordingly.

ChristophWurst · January 28, 2019, 7:22am

Hey @cronus,

I’m happy you could log into your system again.

To understand the issue better and possibly prevent this for other users I would like some feedback. Did you see the “Two-factor authentication can be enforced for all users and specific groups. If they do not have a two-factor provider configured, they will be unable to log into the system.” message before you clicked the checkbox and enforced 2FA?

FYI I tracked this issue at https://github.com/nextcloud/server/issues/12267. Nextcloud 16 might have an additional check for this case.

cronus · January 28, 2019, 9:18am

I wasn’t sure about that. The sentence sounded more like users without 2FA can’t login and admin’s don’t have any problems.

I would prefer a system where a user without 2FA would need to setup 2FA on first time login.

ChristophWurst · January 28, 2019, 9:31am

This is tracked at Possibility to set up 2FA on login · Issue #12268 · nextcloud/server · GitHub.