cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5531
Views
3
Helpful
5
Replies

DUO Security 2fa (Two Factor) with Nextcloud 21

ardhie
Level 1
Level 1

I use Centos 7, HTTPD, PHP 7.4 and Nexcloud 21

open and download from

then extract zip to your Nextcloud path at folder [nextcloud_path]/apps/twofactor_duo

=====================================================================

open file [nextcloud_path]/apps/twofactor_duo/appinfo/info.xml

just delete this code

<dependencies>
	<php min-version="5.6" max-version="7.1" />
	<nextcloud min-version="13" max-version="13" />
</dependencies>

and replace this <category>auth</category> to

<category>integration</category>
<category>security</category>

=====================================================================

next, open [nextcloud_path]/config/config.php

add this code before );

'twofactor_duo' => [
  'IKEY' => 'xxxx',
  'SKEY' => 'xxxxx',
  'HOST' => 'xxxxx',
  'AKEY' => 'xxxx',
],

note: for AKEY use IKEY value

=====================================================================

open this files [nextcloud_path]/lib/public/Authentication/TwoFactorAuth/IProvider.php

under “interface IProvider” section find all of the public functions and remove the colon and type after the function name
example: change “public function getId(): string;” to “public function getId();”. This needs to be done for all six public functions.

=====================================================================

open [nextcloud_path]/lib/public/Authentication/TwoFactorAuth/IProvidesCustomCSP.php

search for “public function getCSP”. Comment out line and put in “public function getCSP();

=====================================================================

open [nextcloud_path]/lib/public/Authentication/TwoFactorAuth/IProvidesCustomCSP.php

search for “public function getCSP”. Comment out line and put in “public function getCSP();

=====================================================================

open [nextcloud_path]/core/Controller/TwoFactorChallengeController.php

search for “return new StandaloneTemplateRe sponse” and comment out that line, and add this code

$response = new TemplateResponse($this->appName, 'twofactorshowchallenge', $data, 'guest');
if ($provider instanceof IProvidesCustomCSP) {
  $response->setContentSecurityPolicy($provider->getCSP());
}
return $response;

=====================================================================
after this try to enable twofactor_duo app, you can do it directly from your Nextcloud Apps or use occ from cli

cd /nextcloud/path/directory
sudo -u apache php occ app:enable twofactor_duo

=====================================================================
use cli
sudo -u apache php occ integrity:check-core
you will see INVALID_HASH ( Failed integrity check, invalid hash)
just see under detect file with have invalid hash, had expected hash and current hash

open [nextcloud_path]/core/signature.json

find expected hash and then replace with current hash, do it all

=====================================================================
now we must create signature for twofactor_duo
first we must generate key and then crt

sudo openssl genrsa -des3 -out /etc/ssl/twofactor.key 2048
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/ssl/twofactor.key -out /etc/ssl/twofactor.crt
sudo -u apache php occ integrity:sign-app --path apps/twofactor_duo --privateKey /etc/ssl/twofactor.key --certificate /etc/ssl/twofactor.crt

=====================================================================
try to logout and login again

Good Luck

1 Accepted Solution

Accepted Solutions

I just came back to this and actually got it working with a few changes.
First and foremost for AKEY it should be 40 characters long, so copying IKEY doesn’t work. To generate the AKEY use

dd if=/dev/random count=1 | sha256sum

Copy the output into your config as AKEY

All of the sudo -u apache commands should be changed to sudo -u www-data

After those changes I had a few issues getting the app signed with the 3 commands in the final steps.
What I did here is create the folders /etc/ssl from INSIDE the nextcloud install directory. So in my case they’re at /var/www/nextcloud/etc/ssl.

So then I ran the command modified like this

sudo openssl genrsa -des3 -out /var/www/nextcloud/etc/ssl/twofactor.key 2048
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /var/www/nextcloud/etc/ssl/twofactor.key -out /etc/ssl/twofactor.crt

Now I ran into more issues trying to run the final command. First I was getting etc/ssl/twofactor.key does not exist. Permissions on the 2 generated files were 0600 and owner was root. So I changed the permissions to 0777 (likely not advised) and owner/group to www-data.

Ran the final command and got Error: apps/twofactor_duo/appinfo is not writable.
So I checked the permissions there, they were also 0600 and owner was root. So I did the same to the twofactor_duo directory and changed it to 0777 (also likely not advised) and owner/group to www-data.

After changing the permissions there I ran this one last time from within the nextcloud directory

sudo -u apache php occ integrity:sign-app --path apps/twofactor_duo --privateKey etc/ssl/twofactor.key --certificate etc/ssl/twofactor.crt

Successfully signed “apps/twofactor_duo”

Signed out, signed back in, success!

View solution in original post

5 Replies 5

MRobi
Level 1
Level 1

@ardhie I’ve followed all of the steps above.
After logging in, it brings me to a page located at https://myserver/login/challenge/duo showing the word Duo with no other text and no Duo push notification comes in unfortunately.
This is on version 22.2
Any advice?

Hello @MRobi

I have the same issue here.
Did you find a solution?

Thanks !

I just came back to this and actually got it working with a few changes.
First and foremost for AKEY it should be 40 characters long, so copying IKEY doesn’t work. To generate the AKEY use

dd if=/dev/random count=1 | sha256sum

Copy the output into your config as AKEY

All of the sudo -u apache commands should be changed to sudo -u www-data

After those changes I had a few issues getting the app signed with the 3 commands in the final steps.
What I did here is create the folders /etc/ssl from INSIDE the nextcloud install directory. So in my case they’re at /var/www/nextcloud/etc/ssl.

So then I ran the command modified like this

sudo openssl genrsa -des3 -out /var/www/nextcloud/etc/ssl/twofactor.key 2048
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /var/www/nextcloud/etc/ssl/twofactor.key -out /etc/ssl/twofactor.crt

Now I ran into more issues trying to run the final command. First I was getting etc/ssl/twofactor.key does not exist. Permissions on the 2 generated files were 0600 and owner was root. So I changed the permissions to 0777 (likely not advised) and owner/group to www-data.

Ran the final command and got Error: apps/twofactor_duo/appinfo is not writable.
So I checked the permissions there, they were also 0600 and owner was root. So I did the same to the twofactor_duo directory and changed it to 0777 (also likely not advised) and owner/group to www-data.

After changing the permissions there I ran this one last time from within the nextcloud directory

sudo -u apache php occ integrity:sign-app --path apps/twofactor_duo --privateKey etc/ssl/twofactor.key --certificate etc/ssl/twofactor.crt

Successfully signed “apps/twofactor_duo”

Signed out, signed back in, success!

shahar3000
Level 1
Level 1

In case anyone is interested, there is this fork of the github repo in the original post: GitHub - srolfe/twofactor_duo: Experimental Duo two-factor auth provider for Nextcloud
I used this fork as is, without changing anything in nextcloud itself (beside the config part) and it works out of the box. I use nextcloud 23.0.3.

In duo, I pressed protect an application and chose Web SDK type

livteccloud
Level 1
Level 1

Does not work anymore because of Duo Universal Prompt upgrades 

livteccloud_0-1718621384099.png

 

 

livteccloud_1-1718621394251.png

Anyone has a solution for this? Plugin would need to be updated to be using Web SDK 4.

Why do I see the error "Setup error. Your organization needs to upgrade this application to the Duo Universal Prompt" when logging into an application using the traditional Duo Prompt? (site.com)

Any other solution for using Nextcloud with 2FA via Duo?

Quick Links