DUO 2FA User Login Issue

[micromort]

This is in relation to https://github.com/nilsteampassnet/TeamPass/issues/3361 - but I am unable to reopen that issue.

Steps to reproduce

1. Install TeamPass 3.0.0.20 on a Debian 10 system
2. Configure DUO 2FA in TeamPass
3. Try to login using DUO credentials

Expected behaviour

What should happen is the user is able to login to TeamPass with their DUO credentials

Actual behaviour

Trying to login without a local user with the same username results in a credential error. After creating a local user with the same username, the DUO 2FA credentials do not work due to the automatic password generated by TeamPass.

Perhaps there is a setting in the admin console that I am not aware of?

Server configuration

Operating system: Debian 10

Web server: Apache 2.4.38

Database: Mariadb - mariadb-server ver 1:10.3.36

PHP version: php 7.3

Teampass version: 3.0.0.20

Updated from an older Teampass or fresh install: Fresh install

PLEASE attach to this issue the file /includes/config/tp.config.php.

<?php
global $SETTINGS;
$SETTINGS = array (
'max_latest_items' => '10',
'enable_favourites' => '1',
'show_last_items' => '1',
'enable_pf_feature' => '0',
'log_connections' => '1',
'log_accessed' => '1',
'time_format' => 'H:i:s',
'date_format' => 'd/m/Y',
'duplicate_folder' => '0',
'item_duplicate_in_same_folder' => '1',
'duplicate_item' => '0',
'number_of_used_pw' => '3',
'manager_edit' => '1',
'cpassman_dir' => '/var/www/html/TeamPass',
'cpassman_url' => 'https://teampasstest.com',
'favicon' => 'https://teampasstest.com/favicon.ico',
'path_to_upload_folder' => '/var/www/html/TeamPass/upload',
'path_to_files_folder' => '/var/www/html/TeamPass/files',
'url_to_files_folder' => 'https://teampasstest.com/files',
'activate_expiration' => '0',
'pw_life_duration' => '0',
'maintenance_mode' => '0',
'enable_sts' => '0',
'encryptClientServer' => '1',
'cpassman_version' => '3.0.0.20',
'ldap_mode' => '0',
'ldap_type' => 'ActiveDirectory',
'ldap_suffix' => '0',
'ldap_domain_dn' => '0',
'ldap_domain_controler' => '0',
'ldap_user_attribute' => 'sAMAccountName',
'ldap_ssl' => '1',
'ldap_tls' => '0',
'ldap_elusers' => '0',
'ldap_search_base' => '0',
'ldap_port' => '636',
'richtext' => '0',
'allow_print' => '0',
'roles_allowed_to_print' => '0',
'show_description' => '1',
'anyone_can_modify' => '0',
'anyone_can_modify_bydefault' => '0',
'nb_bad_authentication' => '0',
'utf8_enabled' => '1',
'restricted_to' => '0',
'restricted_to_roles' => '0',
'enable_send_email_on_user_login' => '0',
'enable_user_can_create_folders' => '1',
'insert_manual_entry_item_history' => '0',
'enable_kb' => '0',
'enable_email_notification_on_item_shown' => '0',
'enable_email_notification_on_user_pw_change' => '0',
'custom_logo' => '',
'custom_login_text' => '',
'default_language' => 'english',
'send_stats' => '0',
'send_statistics_items' => 'stat_country;stat_users;stat_items;stat_items_shared;stat_folders;stat_folders_shared;stat_admins;stat_managers;stat_ro;stat_mysqlversion;stat_phpversion;stat_teampassversion;stat_languages;stat_kb;stat_suggestion;stat_customfields;stat_api;stat_2fa;stat_agses;stat_duo;stat_ldap;stat_syslog;stat_stricthttps;stat_fav;stat_pf;',
'send_stats_time' => '1661966607',
'get_tp_info' => '1',
'send_mail_on_user_login' => '0',
'nb_items_by_query' => 'auto',
'enable_delete_after_consultation' => '0',
'enable_personal_saltkey_cookie' => '0',
'personal_saltkey_cookie_duration' => '31',
'email_smtp_server' => '',
'email_smtp_auth' => '',
'email_auth_username' => '',
'email_auth_pwd' => '',
'email_port' => '',
'email_security' => '',
'email_server_url' => '',
'email_from' => '',
'email_from_name' => '',
'pwd_maximum_length' => '40',
'google_authentication' => '0',
'delay_item_edition' => '0',
'allow_import' => '1',
'proxy_ip' => '',
'proxy_port' => '',
'upload_maxfilesize' => '10mb',
'upload_docext' => 'doc,docx,dotx,xls,xlsx,xltx,rtf,csv,txt,pdf,ppt,pptx,pot,dotx,xltx',
'upload_imagesext' => 'jpg,jpeg,gif,png',
'upload_pkgext' => '7z,rar,tar,zip',
'upload_otherext' => 'sql,xml',
'upload_imageresize_options' => '1',
'upload_imageresize_width' => '800',
'upload_imageresize_height' => '600',
'upload_imageresize_quality' => '90',
'use_md5_password_as_salt' => '0',
'ga_website_name' => 'TeamPass for ChangeMe',
'api' => '0',
'subfolder_rights_as_parent' => '1',
'show_only_accessible_folders' => '1',
'enable_suggestion' => '0',
'otv_expiration_period' => '7',
'default_session_expiration_time' => '60',
'duo' => '1',
'enable_server_password_change' => '0',
'ldap_object_class' => '0',
'bck_script_path' => '/var/www/html/TeamPass/backups',
'bck_script_filename' => 'bck_teampass',
'syslog_enable' => '0',
'syslog_host' => 'localhost',
'syslog_port' => '514',
'manager_move_item' => '1',
'create_item_without_password' => '1',
'otv_is_enabled' => '0',
'agses_authentication_enabled' => '0',
'item_extra_fields' => '0',
'saltkey_ante_2127' => 'none',
'migration_to_2127' => 'done',
'files_with_defuse' => 'done',
'timezone' => 'UTC',
'enable_attachment_encryption' => '1',
'personal_saltkey_security_level' => '50',
'ldap_new_user_is_administrated_by' => '1',
'disable_show_forgot_pwd_link' => '0',
'offline_key_level' => '0',
'enable_http_request_login' => '0',
'ldap_and_local_authentication' => '0',
'secure_display_image' => '1',
'upload_zero_byte_file' => '0',
'upload_all_extensions_file' => '0',
'bck_script_passkey' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
'admin_2fa_required' => '0',
'password_overview_delay' => '4',
'copy_to_clipboard_small_icons' => '1',
'duo_ikey' => 'XXXXXXXXXXXXXXX',
'duo_skey' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
'duo_host' => 'api-xxxxxxxx.duosecurity.com',
'duo_failmode' => 'secure',
'teampass_version' => '',
'roles_allowed_to_print_select' => '',
'clipboard_life_duration' => '30',
'mfa_for_roles' => '[1,2]',
'tree_counters' => '0',
'settings_offline_mode' => '0',
'settings_tree_counters' => '0',
'enable_massive_move_delete' => '0',
'email_debug_level' => '0',
'ga_reset_by_user' => '',
'onthefly-backup-key' => '',
'onthefly-restore-key' => '',
'ldap_user_dn_attribute' => 'DistinguishedName',
'ldap_dn_additional_user_dn' => '',
'ldap_user_object_filter' => '',
'ldap_bdn' => 'DC=xxxxx,DC=local',
'ldap_hosts' => 'xxxxxx.local',
'ldap_password' => 'xxxxxxxxxxxxxxxxxx',
'ldap_username' => 'cn=xxx xxxxx,cn=users,dc=local',
'api_token_duration' => '60',
'enable_tasks_manager' => '0',
'task_maximum_run_time' => '300',
'tasks_manager_refreshing_period' => '20',
'maximum_number_of_items_to_treat' => '100',
'can_create_root_folder' => '1',
'ldap_new_user_role' => '1',
);

Client configuration

Browser: Chrome v. 107.0.5304.123

Operating system: Windows 10

Logs

Log from the web-browser developer console (CTRL + SHIFT + i)

jquery.min.js:2 jQuery.Deferred exception: Cannot read properties of undefined (reading 'google_authentication') TypeError: Cannot read properties of undefined (reading 'google_authentication')
    at showMFAMethod (https://teampasstest.com/index.php?post_type=duo&state=cMeXeVJWh04DZds9Avdw90aSy0Y0VKEb63PA&duo_code=0rbQl69vUqD7yJDPH4KE3vkiaAFWIvWZ:2815:67)
    at Object.<anonymous> (https://teampasstest.com/index.php?post_type=duo&state=cMeXeVJWh04DZds9Avdw90aSy0Y0VKEb63PA&duo_code=0rbQl69vUqD7yJDPH4KE3vkiaAFWIvWZ:2012:13)
    at e (https://teampasstest.com/plugins/jquery/jquery.min.js:2:30038)
    at t (https://teampasstest.com/plugins/jquery/jquery.min.js:2:30340) undefined

[nilsteampassnet]

I cannot reproduce. But what do you mean with sentence "Trying to login without a local user with the same username results in a credential error. " DUO auth is quite complexe, could you record the whole auth process to see what is going on?

[micromort]

If you try to login to TeamPass with a DUO 2FA username and password, TeamPass will give the credential error without checking DUO 2FA. So there is no way to login with a DUO authenticated username if there is no local teampass user with the same username. But then the password TeamPass generates for the local user won't match the DUO authenticated user password, thus the issue. Does that make sense?