Open m-a-r-k-e opened 5 years ago
If you enable the "Enforce two-factor authentication" option in Settings-> Administration-> Security - Two-Factor Authentication
(or occ config:system:set --value true twofactor_enforced
) without enabling any two-factor providers, access with the backend password will be denied, but access with the application password will remain (and user_saml module functionality too).
You can certainly use this crutch to solve the problem, but I'm not sure that similar problems will not come out anywhere else ...
I suppose all this mess has occurred due to rather serious changes in the authentication stack in several recent versions of nextcloud (support for multi-factor providers, Two-Factor Gateway and etc.). And I'm not sure that the problem lies in the module itself.
In any case, it requires either additional testing of this "solution", and/or confirmation of the author that this "solution" works as expected.
But in any case, to achieve authentication webdav through the module will not work, because it requires support in the sabredav library. Multifactor authentication functionality (it doesn’t matter - through a user_saml module or two-factor provider) refers only to the nextcloud web portal and its web applications.
If I understand you correctly - I need to untick enforce TOTP to prevent users from signing in via this backdoor?
WTH? This is a big security issue - We punish users through all that MFA/TOTP hassle, route them through Azure Conditional Access Policies to make sure only trusted/domain joined/etc. devices are able to access the Nextcloud instance and now this? The user only has to change the URL to login from any device?
Got it:
Many thx for that hint.
Steps to reproduce
Expected behaviour
Actual behaviour
This issue is probably related to https://github.com/nextcloud/user_saml/issues/284, but for the direct login page I used the suggested solution to block the direct login page with the web server configuration
Server configuration detail
Operating system: Linux 3.10.0-957.12.1.el7.x86_64 #1 SMP Mon Apr 29 14:59:59 UTC 2019 x86_64
Webserver: Apache (apache2handler)
Database: mysql 5.5.60
PHP version:
7.2.10 Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, bz2, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, intl, json, ldap, exif, mysqlnd, PDO, Phar, posix, shmop, SimpleXML, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, xml, xmlwriter, xsl, zip, mysqli, pdo_mysql, pdo_sqlite, wddx, xmlreader, apcu, igbinary, imagick, redis, Zend OPcache
Nextcloud version: 16.0.1 - 16.0.1.1
Updated from an older Nextcloud/ownCloud or fresh install:
Where did you install Nextcloud from: unknown
Signing status
Array ( )List of activated apps
``` Enabled: - accessibility: 1.2.0 - activity: 2.9.1 - admin_audit: 1.6.0 - cloud_federation_api: 0.2.0 - comments: 1.6.0 - dav: 1.9.2 - drawio: 0.9.3 - external: 3.3.0 - federatedfilesharing: 1.6.0 - files: 1.11.0 - files_accesscontrol: 1.6.0 - files_pdfviewer: 1.5.0 - files_rightclick: 0.13.0 - files_sharing: 1.8.0 - files_texteditor: 2.8.0 - files_trashbin: 1.6.0 - files_versions: 1.9.0 - files_videoplayer: 1.5.0 - firstrunwizard: 2.5.0 - gallery: 18.3.0 - groupfolders: 4.0.2 - issuetemplate: 0.5.0 - logreader: 2.1.0 - lookup_server_connector: 1.4.0 - nextcloud_announcements: 1.5.0 - notes: 2.6.0 - notifications: 2.4.1 - oauth2: 1.4.2 - password_policy: 1.6.0 - provisioning_api: 1.6.0 - recommendations: 0.4.0 - serverinfo: 1.6.0 - sharebymail: 1.6.0 - systemtags: 1.6.0 - theming: 1.7.0 - twofactor_backupcodes: 1.5.0 - updatenotification: 1.6.0 - user_ldap: 1.6.0 - user_saml: 2.3.1 - viewer: 1.0.0 - workflowengine: 1.6.0 Disabled: - encryption - federation - files_external - privacy - support - survey_client ```Configuration (config/config.php)
``` { "dbtype": "mysql", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "3306", "dbname": "***REMOVED SENSITIVE VALUE***", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "mysql.utf8mb4": true, "datadirectory": "***REMOVED SENSITIVE VALUE***", "overwritehost": "***REMOVED MY DOMAIN/URL***", "overwriteprotocol": "https", "overwritewebroot": "\/", "overwrite.cli.url": "***REMOVED MY DOMAIN/URL***", "htaccess.RewriteBase": "\/", "trusted_domains": [ "***REMOVED MY DOMAIN/URL***" ], "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "default_language": "nl", "default_locale": "nl_NL", "remember_login_cookie_lifetime": 0, "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "memcache.local": "\\OC\\Memcache\\APCu", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 6379 }, "logtimezone": "Europe\/Amsterdam", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_smtpmode": "smtp", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": 25, "lost_password_link": "disabled", "allow_user_to_change_display_name": false, "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "version": "16.0.1.1", "dbtableprefix": "oc_", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "ldapIgnoreNamingRules": false, "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory", "theme": "", "maintenance": false, "loglevel": 0 } ```Are you using external storage, if yes which one: no
Are you using encryption: no
Are you using an external user-backend, if yes which one: LDAP
Client configuration
Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Operating system: Windows 10