enforce 2FA?

Should we enforce 2FA for all users in the nextcloud instance? People are using the instance more than before and it may makes sense to help it secure.

What about server side encryption? Right now is not enabled.

added Next label

just enforce it.

assigned to @gaba

What about server side encryption? Right now is not enabled.

That's a separate question, but just for the record: server-side encryption doesn't help us with our current setup. We're hosting the Nextcloud server and its files at the same provider (riseup). If we would be (say) hosting the server at riseup and the files at (say) Amazon S3, that would give us some protection because an Amazon compromise wouldn't compromise the files. But that's not our configuration, so server-side encryption doesn't give us additional security benefits.

I'll add that to the Nextcloud docs. :)

I'll add that to the Nextcloud docs.

done

FWIW - the nextcloud encryption has been a nightmare for riseup. we enabled it on our test instance, and sync clients had trouble with it, causing corrupted files, so we disabled it (following their instructions) and it managed to not disable fully, so there are a bunch of documents that people cannot access, and you get no clear information about why you cannot access them, it just reloads the page. the logs have more information: the file is still encrypted, but the encryption keys are gone... we are currently in the process of trying to chase around people who have cleartext versions of those broken and encrypted files, to get them to re-upload them to replace the ones on the server.

I think the NC encryption piece was not fully baked before they put it out there, and I'm unsure if it is now still....

Is this client side encryption or server-side encryption?

I wouldn't be surprised to hear client-side encryption is half-baked, but i'd be surprised about problems with server-side, as that's been around for longer.

...

On 2022-05-17 12:36:19, Micah Anderson wrote:

FWIW - the nextcloud encryption has been a nightmare for riseup. we enabled it on our test instance, and sync clients had trouble with it, causing corrupted files, so we disabled it (following their instructions) and it managed to not disable fully, so there are a bunch of documents that people cannot access, and you get no clear information about why you cannot access them, it just reloads the page. the logs have more information: the file is still encrypted, but the encryption keys are gone... we are currently in the process of trying to chase around people who have cleartext versions of those broken and encrypted files, to get them to re-upload them to replace the ones on the server.

I think the NC encryption piece was not fully baked before they put it out there, and I'm unsure if it is now still....

-- Antoine Beaupré torproject.org system administration

server-side... there are a lot of issues from people who have suffered from weird issues like this. I think they didn't handle the transitions very well.

mentioned in commit wiki-replica@1527d0c5

added Doing label

removed Next label

changed due date to May 18, 2022

actually, it looks like 2FA was completely removed. my 2FA settings were also cleared out...

@hacim do you know if there's a way to restore 2FA settings after the upgrade? i seem to recall @pollo mentionning something about this in that IRC channel on 2022-05-05 17:22, it seems the fix is to run the twofactor_webauthn:migrate-u2f function, after enabling the two_factor_webauth web app.

it seems that we already have " Two-Factor TOTP Provider " enabled but "Two-Factor U2F" is disabled and the enable button is this scary (red) "enable untested app" button...

not sure how to go ahead with this.

The Two-Factor WebAuthn app needs to be enabled, and the migration command you quoted, run.

I think it's already enabled since a Passwordless Authentication section is found in Security section of user preferences. So it's probably just a matter of running the migration.

Unfortunately, the Two-Factor WebAuthn app is actually not enabled. Its not possible to do the migration command, without that being enabled.

Naturally, one would think, ok... let us just enable it and run that migration then... but the policy around enabling Nextcloud apps has been not to enable non-supported/official 3rd party apps, unless someone has managed to audit them. The list of Nextcloud supported apps doesn't currently list the Two-Factor WebAuthn app (although it does list the following: Two factor backup codes, Two factor TOTP Provider, Two factor U2F)

This policy could be revisited, or someone could spend a little time looking over the Two-Factor WebAuthn code to see if it is a terrible idea or not.

I can take a look this afternoon.

...

On 2022-05-17 13:01:56, Micah Anderson wrote:

This policy could be revisited, or someone could spend a little time looking over the Two-Factor WebAuthn code to see if it is a terrible idea or not.

-- Antoine Beaupré torproject.org system administration

i took a quick look. i have reviewed this commit:

commit 696943b725feedfec037cb68ef6de0440991c4a0
Author:     Christoph Wurst <ChristophWurst@users.noreply.github.com>
Date: Tue May 10 11:50:50 2022 +0200

Merge pull request #168 from nextcloud/dependabot/npm_and_yarn/babel/core-7.17.10

Bump @babel/core from 7.17.5 to 7.17.10

in general, it looks okay. i find it concerning that they would move u2f to an untested app, it seems kind of ludicrous, but that's the hand we're given.

in particular...

the composer.json file mentions a few (PHP) deps, but those seem pretty minimal and innocuous. the composer.lock file, in comparison, is kind of gigantic, but it's possibly because it expands all of those dependencies recursively, with metadata. i haven't tried to parse it for integriy.

the SVG files don't seem to be backdoored.

i did a quick read through the PHP files in lib/, and nothing stands out as explicitly hostile or obfuscated (although it's PHP we're talking about here, and my PHP is really rusty, think PHP 5 rusty). SQL queries seem properly parametrized. the registration challenge correctly uses random_bytes, but i didn't otherwise audit the crypto behind it, as i am not familiar enough with U2F to tell, and it's quite a lot of code to review.

localisation is done through hundreds of JS/JSON files. i did not audit those.

package.json is more serious. lots of deps there and naturally the lockfile is even larger. that said, it still looked reasonable: mostly internal nextcloud stuff, and Vue/vue-click-outside/vuex.

the src/ directory is full of .vue files. i have no idea how vue works, so i don't know what to do with those. they look like a mix of DOM and JS. i think there's some crypto things in here too. don't trust me too much on that section.

templates/ looks reasonable, didn't audit the tests.

so i'd say go, it doesn't look like a terrible ideas and all the cool kids are doing it.. beats no 2FA... riiight?

mentioned in issue team#40446 (closed)

okay, so here we need the server operator (@hacim) to run the twofactor_webauthn:migrate-u2f command to restore 2fa functionality.

thanks in advance!

assigned to @hacim and unassigned @gaba

taking this on as the next step is to audit the app's source code.

assigned to @anarcat and unassigned @hacim

/cc @gk

@hacim after a quick audit, i'm going to throw this back your way, i think we should enable the plugin and do the migration to restore 2fa.

thanks!

assigned to @hacim and unassigned @anarcat

Ok, thanks for suffering through that @anarcat ! I've gone ahead and enabled it, and ran the migration. I don't have a way to test that this works however. Who can check it?

I tested it just now and was able to log in using my previously configured Yubikey token.

Curiously however, after entering my username and password, it shows a page with an error message "Could not load at least one of you two-factor auth methods. Please contact your admin." ... and right under there I can click the box showing "WebAuthn device" and it takes me to a next page where it asks me to touch my token, which then allows me to log-in.

That's probably because the previous 2FA plugin was disabled, but not purged. There is a new command that can be ran to purge the previous plugin tokens from the DB (I can't remember what is it...).

@hacim you should also make sure the old U2F plugin has been deleted.

This thing is a hot mess. The Two-Factor U2F plugin was disabled, but not removed. I've just removed it.

@lavamind can you see if you still have the issue?

@pollo possibly its twofactorauth:cleanup totp ?

Micah Anderson (@hacim):

Micah Anderson commented on a discussion: #6 (comment 2804315)

This thing is a hot mess. The Two-Factor U2F plugin was disabled, but not removed. I've just removed it.

@lavamind can you see if you still have the issue?

FWIW, I tried with my Yubikey both in Tor Browser and a clean new Firefox profile on my Debian box but the log in failed, even after I registered my Yubikey again. While the do get the option to use WebAuthn for 2fa clicking on it asks me to plug my device in to get started with the authentication nothing actually happens afterwards. I seem to recall there was a notification bar popping up in Tor Browser/Firefox previously related to the authentification. It's missing now, too.

I guess this is related to the "Could not load at least one of your enabled two-factor auth methods. Please contact your admin." which I am seeing after filling in my username/password combo and pressing the "Log in" button: I only have two 2fa methods enabled, "WebAuthn device" and "Backup code" and I am limping along with the latter...

Georg Koppen (@gk):

Georg Koppen commented on a discussion: #6 (comment 2804992)

Micah Anderson (@hacim):

Micah Anderson commented on a discussion: #6 (comment 2804315)

This thing is a hot mess. The Two-Factor U2F plugin was disabled, but not removed. I've just removed it.

@lavamind can you see if you still have the issue?

FWIW, I tried with my Yubikey both in Tor Browser and a clean new Firefox profile on my Debian box but the log in failed, even after I registered my Yubikey again. While the do get the option to use WebAuthn for 2fa clicking on it asks me to plug my device in to get started with the authentication nothing actually happens afterwards. I seem to recall there was a notification bar popping up in Tor Browser/Firefox previously related to the authentification. It's missing now, too.

I guess this is related to the "Could not load at least one of your enabled two-factor auth methods. Please contact your admin." which I am seeing after filling in my username/password combo and pressing the "Log in" button: I only have two 2fa methods enabled, "WebAuthn device" and "Backup code" and I am limping along with the latter...

Oh, and as another data point: I tried password less authentication with the same Yubikey and that one is working (and I get the usual notification box which is when I am supposed to press the button on my Yubikey to activate it).

Georg Koppen commented on a discussion: #6 (comment 2804992)

Micah Anderson (@hacim):

Micah Anderson commented on a discussion: #6 (comment 2804315)

This thing is a hot mess. The Two-Factor U2F plugin was disabled, but not removed. I've just removed it.

@lavamind can you see if you still have the issue?

FWIW, I tried with my Yubikey both in Tor Browser and a clean new Firefox profile on my Debian box but the log in failed, even after I registered my Yubikey again. While the do get the option to use WebAuthn for 2fa clicking on it asks me to plug my device in to get started with the authentication nothing actually happens afterwards. I seem to recall there was a notification bar popping up in Tor Browser/Firefox previously related to the authentification. It's missing now, too.

I guess this is related to the "Could not load at least one of your enabled two-factor auth methods. Please contact your admin." which I am seeing after filling in my username/password combo and pressing the "Log in" button: I only have two 2fa methods enabled, "WebAuthn device" and "Backup code" and I am limping along with the latter...

For what it's worth, I can login myself. I do get the warning:

Could not load at least one of your enabled two-factor auth methods. Please contact your admin.

... but right below that, there's the logo of a crypto token (a yubikey?) that's actually a button which says:

WebAuthn device

Use WebAuthn for second factor authentication

when I click that I get:

WebAuthn device

Plug in your WebAuthn device and press the button below to begin authorization.

and I need another click on "Use Webauthn Device", and then I get the popup. It's quite convoluted, but it works.

a.

...

On 2022-05-19 09:49:58, Georg Koppen (@gk) wrote:

-- Antoine Beaupré torproject.org system administration

that, btw, matches the screenshots that @lavamind posted in #6 (comment 2804045)

anarcat (@anarcat):

anarcat commented on a discussion: #6 (comment 2805054)

Georg Koppen commented on a discussion: #6 (comment 2804992)

Micah Anderson (@hacim):

Micah Anderson commented on a discussion: #6 (comment 2804315)

This thing is a hot mess. The Two-Factor U2F plugin was disabled, but not removed. I've just removed it.

@lavamind can you see if you still have the issue?

FWIW, I tried with my Yubikey both in Tor Browser and a clean new Firefox profile on my Debian box but the log in failed, even after I registered my Yubikey again. While the do get the option to use WebAuthn for 2fa clicking on it asks me to plug my device in to get started with the authentication nothing actually happens afterwards. I seem to recall there was a notification bar popping up in Tor Browser/Firefox previously related to the authentification. It's missing now, too.

I guess this is related to the "Could not load at least one of your enabled two-factor auth methods. Please contact your admin." which I am seeing after filling in my username/password combo and pressing the "Log in" button: I only have two 2fa methods enabled, "WebAuthn device" and "Backup code" and I am limping along with the latter...

For what it's worth, I can login myself. I do get the warning:

Could not load at least one of your enabled two-factor auth methods. Please contact your admin.

... but right below that, there's the logo of a crypto token (a yubikey?) that's actually a button which says:

WebAuthn device

Use WebAuthn for second factor authentication

when I click that I get:

WebAuthn device

Plug in your WebAuthn device and press the button below to begin authorization.

and I need another click on "Use Webauthn Device", and then I get the popup. It's quite convoluted, but it works.

Aha, it seems I did not spend enough attention on that piece to realize that the "Use Webauthn Device" is yet another button to click (after all I already clicked "USE WEBAUTHN FOR SECOND FACTOR AUTHENTICATION" :)). Alright after clicking on that second button it works for me as well. Nice. Thanks, anarcat.

@lavamind did try again, but same issue.

this upstream issue and a pull request seems to be related.

this upstream issue and a pull request seems to be related.

this looks promising. but i'll just point out that, technically, 2FA now works. it doesn't work perfectly well and requires a lot of hoops, but maybe it's good enough to close this ticket?

or do we want to keep it open until the workflow matches the original one?

I think the original intent of the issue was to discuss if 2fa should be enforced for nextcloud.

My feeling is that until things are more smooth, it might be too early to enforce 2fa. Maybe reconsider when the many hoops are no longer there?

So I've had my Nextcloud account set up to use 2fa with an app-generated passcode for the better part of a year now, however since last week I've starting receiving this error after entering my username and password:

At present I can't actually log in to Nextcloud :s

@anarcat: would you like me to create a new issue for this instead? and/or is there a workaround I can try? I can't access my calendar or files atm :s

Update: @gaba has helped me regain access to my account (thanks gaba!). The bug still exists, but I'm not totally locked out anymore :)

there appears to be movement on the plugin to resolve this issue, hopefully the bug will be resolved soon!

@gaba what did you do to get @duncan access? Maybe I can do that for all the users on the backend to remove this problem until the issue is actually fixed.

Replied on IRC :)

i filed issue #9 (closed) about this because i think it's a separate issue.