Nexcloud 28 with DUO Security 2FA (Two Factor)

ardhie · June 25, 2021, 8:59pm

I use Ubuntu 22.04, APACHE, PHP 8.2 and Nexcloud 28

open and download from

then extract zip to your Nextcloud path at folder [nextcloud_path]/apps/twofactor_duo

=====================================================================

open file [nextcloud_path]/apps/twofactor_duo/appinfo/info.xml

just delete this code

<dependencies>
	<php min-version="5.6" max-version="7.1" />
	<nextcloud min-version="13" max-version="13" />
</dependencies>

and replace this <category>auth</category> to

<category>integration</category>
<category>security</category>

=====================================================================

next, open [nextcloud_path]/config/config.php

add this code before );

'twofactor_duo' => [
  'IKEY' => 'xxxx',
  'SKEY' => 'xxxxx',
  'HOST' => 'xxxxx',
  'AKEY' => 'xxxx',
],

note: for AKEY use IKEY value

=====================================================================

open this files [nextcloud_path]/lib/public/Authentication/TwoFactorAuth/IProvider.php

under “interface IProvider” section find all of the public functions and remove the colon and type after the function name
example: change “public function getId(): string;” to “public function getId();”. This needs to be done for all six public functions.

=====================================================================

open [nextcloud_path]/lib/public/Authentication/TwoFactorAuth/IProvidesCustomCSP.php

search for “public function getCSP”. Comment out line and put in “public function getCSP();”

=====================================================================

open [nextcloud_path]/lib/public/Authentication/TwoFactorAuth/IProvidesCustomCSP.php

search for “public function getCSP”. Comment out line and put in “public function getCSP();”

=====================================================================

open [nextcloud_path]/core/Controller/TwoFactorChallengeController.php

search for “return new StandaloneTemplateResponse” and comment out that line, and add this code

$response = new TemplateResponse($this->appName, 'twofactorshowchallenge', $data, 'guest');
if ($provider instanceof IProvidesCustomCSP) {
  $response->setContentSecurityPolicy($provider->getCSP());
}
return $response;

=====================================================================
after this try to enable twofactor_duo app, you can do it directly from your Nextcloud Apps or use occ from cli

cd /nextcloud/path/directory
sudo -u apache php occ app:enable twofactor_duo

=====================================================================
use cli
sudo -u apache php occ integrity:check-core
you will see INVALID_HASH ( Failed integrity check, invalid hash)
just see under detect file with have invalid hash, had expected hash and current hash

open [nextcloud_path]/core/signature.json

find expected hash and then replace with current hash, do it all

=====================================================================
now we must create signature for twofactor_duo
first we must generate key and then crt

sudo openssl genrsa -des3 -out /etc/ssl/twofactor.key 2048
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/ssl/twofactor.key -out /etc/ssl/twofactor.crt
sudo -u apache php occ integrity:sign-app --path apps/twofactor_duo --privateKey /etc/ssl/twofactor.key --certificate /etc/ssl/twofactor.crt

=====================================================================
try to logout and login again

Good Luck

anon71540698 · June 26, 2021, 3:08am

My understanding is, 2FA in Nextcloud is either built-in or can be implemented using SAML (enterprise SSO way of doing this).

Up until v.15 you could query external 2FA system directly, e.g. privacyIDEA.

I believe DUO is in the same category…

Unfortunately, this (direct) ability was never revived…

github.com/nextcloud/server

Stateless 2FA providers

opened 10:58AM - 13 Dec 18 UTC

closed 09:43AM - 10 Apr 20 UTC

ChristophWurst

enhancement 0. Needs triage integration

**Is your feature request related to a problem? Please describe.** Since Nextcl…oud 14 2FA providers are stateful for enhanced security and performance. This means their enabled/disabled state per user is managed and persisted in the provider registry. Therefore providers can no longer dynamically decide if they should be enabled by the currently logging in user or not, which was possible up to Nextcloud 13. **Describe the solution you'd like** We could have a new IStatelessProvider interface where we move/copy over the legacy method IProvider::isTwoFactorEnabledForUser. On login, providers implementing this interface will be checked dynamically. Any failure to load will allow bypassing 2FA. **Describe alternatives you've considered** @rullzer proposed an alternative where providers can be made/tagged as "passive" and when their challenge page is shown the form is automatically submit where the provider can just let the user pass. **Additional context** n/a --- Edit: We still have to make sure that if provider apps vanish, we don't let the users log in. Therefore we must have a table with active providers. And offer a command to remove providers from that table. If a users logs in and a stateless provider can't be found we lock down.

MRobi · November 6, 2021, 3:08pm

Getting a blank duo screen with nothing being sent or logged on duo’s end.

I saw another thread suggesting using a 40 character AKEY. Extending the AKEY to 40 characters gives me an authentication error. I’m currently using the IKEY value as the AKEY value. I tried swapping the SKEY value in there since it’s 40 characters and get the same authentication error. So went back to the IKEY.

Checking the logs all I’m seeing mentioning Duo is this:

{"reqId":"Y6KnLqaPuRWQVn2S5ffe","level":0,"time":"November 06, 2021 14:30:07","remoteAddr":"IPADDRESS","user":"USER","app":"files_sharing","method":"GET","url":"/index.php/login/challenge/duo","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40","version":"21.0.1.1"}

{"reqId":"iuCFFpRWTa2At1ku9ig6","level":3,"time":"November 06, 2021 14:32:52","remoteAddr":"IPADDRESS","user":"USERNAME","app":"core","method":"GET","url":"/index.php/login/selectchallenge?redirect_url=/index.php/apps/dashboard/","message":"two-factor auth provider 'duo' failed to load","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40","version":"21.0.1.1"}

From my understanding the deprecated error is simply a warning for the dev and doesn’t affect functionality.

The other, “failed to load” doesn’t really give me much to go off of as to why or why not.

Log level is set to 0.

Any tips?

ardhie · January 8, 2024, 4:43am

Hi @MRobi

First and foremost for AKEY it should be 40 characters long, so copying IKEY doesn’t work.
To generate the AKEY use

dd if=/dev/random count=1 | sha256sum

Copy the output into your config as AKEY

'twofactor_duo' => [
  'IKEY' => 'xxxx',
  'SKEY' => 'xxxx',
  'HOST' => 'api-xxxxxxxx.duosecurity.com,
  'AKEY' => 'xxxx',
],

MRobi · January 19, 2024, 1:26pm

Thanks, I had figured that one out and got it working in Jan '22.
I used that command to generate the AKEY. But I also had to modify some of the other commands above from sudo -u apache to sudo -u www-data. Then I was getting permission issues on some files which were set to 0600 with an owner of root. So I changed those to 0777 and owner www-data. After that I was able to get it working, but it would complain about the files that I modified.

Ultimately, I ended up using this fork which worked out of the box and only required adding the config info. Was a much simpler process. Unsure if it’s compatible with v28 though, planning that update for this weekend.

livtecch · June 17, 2024, 2:02pm

Does not work anymore because of Duo Universal Prompt upgrades for new setups.

Anyone has a solution for this? Plugin would need to be updated to be using Web SDK 4.

Why do I see the error “Setup error. Your organization needs to upgrade this application to the Duo Universal Prompt” when logging into an application using the traditional Duo Prompt? (site.com)

ardhie · July 24, 2024, 4:31pm

Hi @livtecch

Until now I can still use the Traditional DUO Prompt Method for My Nextcloud.

When creating a Protect Application in the DUO Admin Dashboard, did you choose Web SDK?

ardhie · July 25, 2024, 7:27pm

Hi @livtecch

take a look at my new Post

livtecch · July 26, 2024, 6:57am

As a next step after the traditional Duo Prompt end of support, effective April 11, 2024 Duo began blocking use of the traditional Duo Prompt in an iframe for newly-created protected applications for all customers that are in-scope of the required update to the Universal Prompt and are in “App Update Ready” status in the Duo Admin Panel.

We have not blocked use of the traditional Duo Prompt for applications created before April 2024 at this time, and Duo will not block applications for which we know there is no Universal Prompt update available.

Why do I see the error “Setup error. Your organization needs to upgrade this application to the Duo Universal Prompt” when logging into an application using the traditional Duo Prompt? (site.com)

It only affects new Duo deployments. Yes we use Web SDK

livtecch · July 26, 2024, 7:00am

Looks nice.
We have forked the old plugin and made it ready for NC 29.X and New Duo Universal Prompt as well recently:
Livtec-Cloud-Provider/twofactor_duo: Experimental Duo two-factor auth provider for Nextcloud (github.com)

Compared to your plugin it does not require modifying Nextcloud Core files. But it requires further testing and hardening and also needs to get maintained.

clincher · August 1, 2024, 8:52am

I gave this plugin a try this evening as I would really love to get Duo working. After uploading the plugin to the apps dir, restarted Nextcloud then attempted to enable the app, I get an error message saying “Could not download app twofactor_duo”. I get no other error messages in the logs even after setting log level to debug. Not sure if I’m doing something wrong.

Nextcloud 29.0.4 running under Docker/UnRAID

clincher · August 1, 2024, 5:26pm

Further testing. When attempting to enable via occ, I get the following message:
occ $ app:enable twofactor_duo-master

App not found

ernolf · August 1, 2024, 6:06pm

You should not enable ‘twofactor_duo-master’ but ‘twofactor_duo’ instead.

And the directory should not be named apps/twofactor_duo-master but apps/twofactor_duo as well.

hth.

ernolf