06-27-2021 01:01 AM
open and download from
then extract zip to your Nextcloud path at folder [nextcloud_path]/apps/twofactor_duo
=====================================================================
open file [nextcloud_path]/apps/twofactor_duo/appinfo/info.xml
just delete this code
<dependencies>
<php min-version="5.6" max-version="7.1" />
<nextcloud min-version="13" max-version="13" />
</dependencies>
and replace this <category>auth</category>
to
<category>integration</category>
<category>security</category>
=====================================================================
next, open [nextcloud_path]/config/config.php
add this code before );
'twofactor_duo' => [
'IKEY' => 'xxxx',
'SKEY' => 'xxxxx',
'HOST' => 'xxxxx',
'AKEY' => 'xxxx',
],
note: for AKEY use IKEY value
=====================================================================
open this files [nextcloud_path]/lib/public/Authentication/TwoFactorAuth/IProvider.php
under “interface IProvider
” section find all of the public functions and remove the colon and type after the function name
example: change “public function getId(): string;
” to “public function getId();
”. This needs to be done for all six public functions.
=====================================================================
open [nextcloud_path]/lib/public/Authentication/TwoFactorAuth/IProvidesCustomCSP.php
search for “public function getCSP
”. Comment out line and put in “public function getCSP();
”
=====================================================================
open [nextcloud_path]/lib/public/Authentication/TwoFactorAuth/IProvidesCustomCSP.php
search for “public function getCSP
”. Comment out line and put in “public function getCSP();
”
=====================================================================
open [nextcloud_path]/core/Controller/TwoFactorChallengeController.php
search for “return new StandaloneTemplateRe sponse
” and comment out that line, and add this code
$response = new TemplateResponse($this->appName, 'twofactorshowchallenge', $data, 'guest');
if ($provider instanceof IProvidesCustomCSP) {
$response->setContentSecurityPolicy($provider->getCSP());
}
return $response;
=====================================================================
after this try to enable twofactor_duo app, you can do it directly from your Nextcloud Apps or use occ
from cli
cd /nextcloud/path/directory
sudo -u apache php occ app:enable twofactor_duo
=====================================================================
use cli
sudo -u apache php occ integrity:check-core
you will see INVALID_HASH ( Failed integrity check, invalid hash)
just see under detect file with have invalid hash, had expected hash and current hash
open [nextcloud_path]/core/signature.json
find expected hash and then replace with current hash, do it all
=====================================================================
now we must create signature for twofactor_duo
first we must generate key and then crt
sudo openssl genrsa -des3 -out /etc/ssl/twofactor.key 2048
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/ssl/twofactor.key -out /etc/ssl/twofactor.crt
sudo -u apache php occ integrity:sign-app --path apps/twofactor_duo --privateKey /etc/ssl/twofactor.key --certificate /etc/ssl/twofactor.crt
=====================================================================
try to logout and login again
Solved! Go to Solution.
01-23-2022 08:42 AM
I just came back to this and actually got it working with a few changes.
First and foremost for AKEY it should be 40 characters long, so copying IKEY doesn’t work. To generate the AKEY use
dd if=/dev/random count=1 | sha256sum
Copy the output into your config as AKEY
All of the sudo -u apache commands should be changed to sudo -u www-data
After those changes I had a few issues getting the app signed with the 3 commands in the final steps.
What I did here is create the folders /etc/ssl from INSIDE the nextcloud install directory. So in my case they’re at /var/www/nextcloud/etc/ssl.
So then I ran the command modified like this
sudo openssl genrsa -des3 -out /var/www/nextcloud/etc/ssl/twofactor.key 2048
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /var/www/nextcloud/etc/ssl/twofactor.key -out /etc/ssl/twofactor.crt
Now I ran into more issues trying to run the final command. First I was getting etc/ssl/twofactor.key does not exist. Permissions on the 2 generated files were 0600 and owner was root. So I changed the permissions to 0777 (likely not advised) and owner/group to www-data.
Ran the final command and got Error: apps/twofactor_duo/appinfo is not writable.
So I checked the permissions there, they were also 0600 and owner was root. So I did the same to the twofactor_duo directory and changed it to 0777 (also likely not advised) and owner/group to www-data.
After changing the permissions there I ran this one last time from within the nextcloud directory
sudo -u apache php occ integrity:sign-app --path apps/twofactor_duo --privateKey etc/ssl/twofactor.key --certificate etc/ssl/twofactor.crt
Successfully signed “apps/twofactor_duo”
Signed out, signed back in, success!
11-04-2021 06:09 AM
@ardhie I’ve followed all of the steps above.
After logging in, it brings me to a page located at https://myserver/login/challenge/duo showing the word Duo with no other text and no Duo push notification comes in unfortunately.
This is on version 22.2
Any advice?
11-28-2021 07:30 AM
01-23-2022 08:42 AM
I just came back to this and actually got it working with a few changes.
First and foremost for AKEY it should be 40 characters long, so copying IKEY doesn’t work. To generate the AKEY use
dd if=/dev/random count=1 | sha256sum
Copy the output into your config as AKEY
All of the sudo -u apache commands should be changed to sudo -u www-data
After those changes I had a few issues getting the app signed with the 3 commands in the final steps.
What I did here is create the folders /etc/ssl from INSIDE the nextcloud install directory. So in my case they’re at /var/www/nextcloud/etc/ssl.
So then I ran the command modified like this
sudo openssl genrsa -des3 -out /var/www/nextcloud/etc/ssl/twofactor.key 2048
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /var/www/nextcloud/etc/ssl/twofactor.key -out /etc/ssl/twofactor.crt
Now I ran into more issues trying to run the final command. First I was getting etc/ssl/twofactor.key does not exist. Permissions on the 2 generated files were 0600 and owner was root. So I changed the permissions to 0777 (likely not advised) and owner/group to www-data.
Ran the final command and got Error: apps/twofactor_duo/appinfo is not writable.
So I checked the permissions there, they were also 0600 and owner was root. So I did the same to the twofactor_duo directory and changed it to 0777 (also likely not advised) and owner/group to www-data.
After changing the permissions there I ran this one last time from within the nextcloud directory
sudo -u apache php occ integrity:sign-app --path apps/twofactor_duo --privateKey etc/ssl/twofactor.key --certificate etc/ssl/twofactor.crt
Successfully signed “apps/twofactor_duo”
Signed out, signed back in, success!
05-07-2022 12:26 PM
In case anyone is interested, there is this fork of the github repo in the original post: GitHub - srolfe/twofactor_duo: Experimental Duo two-factor auth provider for Nextcloud
I used this fork as is, without changing anything in nextcloud itself (beside the config part) and it works out of the box. I use nextcloud 23.0.3.
In duo, I pressed protect an application and chose Web SDK type
06-17-2024 03:51 AM
Does not work anymore because of Duo Universal Prompt upgrades
Anyone has a solution for this? Plugin would need to be updated to be using Web SDK 4.
Any other solution for using Nextcloud with 2FA via Duo?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide