Solved: DUO Security 2fa (Two Factor) with Nextcloud 21

ardhie · ‎06-27-2021

I use Centos 7, HTTPD, PHP 7.4 and Nexcloud 21

open and download from

then extract zip to your Nextcloud path at folder [nextcloud_path]/apps/twofactor_duo

=====================================================================

open file [nextcloud_path]/apps/twofactor_duo/appinfo/info.xml

just delete this code

<dependencies>
	<php min-version="5.6" max-version="7.1" />
	<nextcloud min-version="13" max-version="13" />
</dependencies>

and replace this <category>auth</category> to

<category>integration</category>
<category>security</category>

=====================================================================

next, open [nextcloud_path]/config/config.php

add this code before );

'twofactor_duo' => [
  'IKEY' => 'xxxx',
  'SKEY' => 'xxxxx',
  'HOST' => 'xxxxx',
  'AKEY' => 'xxxx',
],

note: for AKEY use IKEY value

=====================================================================

open this files [nextcloud_path]/lib/public/Authentication/TwoFactorAuth/IProvider.php

under “interface IProvider” section find all of the public functions and remove the colon and type after the function name
example: change “public function getId(): string;” to “public function getId();”. This needs to be done for all six public functions.

=====================================================================

open [nextcloud_path]/lib/public/Authentication/TwoFactorAuth/IProvidesCustomCSP.php

search for “public function getCSP”. Comment out line and put in “public function getCSP();”

=====================================================================

open [nextcloud_path]/lib/public/Authentication/TwoFactorAuth/IProvidesCustomCSP.php

search for “public function getCSP”. Comment out line and put in “public function getCSP();”

=====================================================================

open [nextcloud_path]/core/Controller/TwoFactorChallengeController.php

search for “return new StandaloneTemplateRe sponse” and comment out that line, and add this code

$response = new TemplateResponse($this->appName, 'twofactorshowchallenge', $data, 'guest');
if ($provider instanceof IProvidesCustomCSP) {
  $response->setContentSecurityPolicy($provider->getCSP());
}
return $response;

=====================================================================
after this try to enable twofactor_duo app, you can do it directly from your Nextcloud Apps or use occ from cli

cd /nextcloud/path/directory
sudo -u apache php occ app:enable twofactor_duo

=====================================================================
use cli
sudo -u apache php occ integrity:check-core
you will see INVALID_HASH ( Failed integrity check, invalid hash)
just see under detect file with have invalid hash, had expected hash and current hash

open [nextcloud_path]/core/signature.json

find expected hash and then replace with current hash, do it all

=====================================================================
now we must create signature for twofactor_duo
first we must generate key and then crt

sudo openssl genrsa -des3 -out /etc/ssl/twofactor.key 2048
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/ssl/twofactor.key -out /etc/ssl/twofactor.crt
sudo -u apache php occ integrity:sign-app --path apps/twofactor_duo --privateKey /etc/ssl/twofactor.key --certificate /etc/ssl/twofactor.crt

=====================================================================
try to logout and login again

Good Luck

MRobi · ‎01-23-2022

I just came back to this and actually got it working with a few changes.
First and foremost for AKEY it should be 40 characters long, so copying IKEY doesn’t work. To generate the AKEY use

dd if=/dev/random count=1 | sha256sum

Copy the output into your config as AKEY

All of the sudo -u apache commands should be changed to sudo -u www-data

After those changes I had a few issues getting the app signed with the 3 commands in the final steps.
What I did here is create the folders /etc/ssl from INSIDE the nextcloud install directory. So in my case they’re at /var/www/nextcloud/etc/ssl.

So then I ran the command modified like this

sudo openssl genrsa -des3 -out /var/www/nextcloud/etc/ssl/twofactor.key 2048
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /var/www/nextcloud/etc/ssl/twofactor.key -out /etc/ssl/twofactor.crt

Now I ran into more issues trying to run the final command. First I was getting etc/ssl/twofactor.key does not exist. Permissions on the 2 generated files were 0600 and owner was root. So I changed the permissions to 0777 (likely not advised) and owner/group to www-data.

Ran the final command and got Error: apps/twofactor_duo/appinfo is not writable.
So I checked the permissions there, they were also 0600 and owner was root. So I did the same to the twofactor_duo directory and changed it to 0777 (also likely not advised) and owner/group to www-data.

After changing the permissions there I ran this one last time from within the nextcloud directory

sudo -u apache php occ integrity:sign-app --path apps/twofactor_duo --privateKey etc/ssl/twofactor.key --certificate etc/ssl/twofactor.crt

Successfully signed “apps/twofactor_duo”

Signed out, signed back in, success!

View solution in original post

MRobi · ‎11-04-2021

@ardhie I’ve followed all of the steps above.
After logging in, it brings me to a page located at https://myserver/login/challenge/duo showing the word Duo with no other text and no Duo push notification comes in unfortunately.
This is on version 22.2
Any advice?

Benjamin_Hobbies · ‎11-28-2021

Hello @MRobi

I have the same issue here.
Did you find a solution?

Thanks !

MRobi · ‎01-23-2022

I just came back to this and actually got it working with a few changes.
First and foremost for AKEY it should be 40 characters long, so copying IKEY doesn’t work. To generate the AKEY use

dd if=/dev/random count=1 | sha256sum

Copy the output into your config as AKEY

All of the sudo -u apache commands should be changed to sudo -u www-data

After those changes I had a few issues getting the app signed with the 3 commands in the final steps.
What I did here is create the folders /etc/ssl from INSIDE the nextcloud install directory. So in my case they’re at /var/www/nextcloud/etc/ssl.

So then I ran the command modified like this

sudo openssl genrsa -des3 -out /var/www/nextcloud/etc/ssl/twofactor.key 2048
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /var/www/nextcloud/etc/ssl/twofactor.key -out /etc/ssl/twofactor.crt

Now I ran into more issues trying to run the final command. First I was getting etc/ssl/twofactor.key does not exist. Permissions on the 2 generated files were 0600 and owner was root. So I changed the permissions to 0777 (likely not advised) and owner/group to www-data.

Ran the final command and got Error: apps/twofactor_duo/appinfo is not writable.
So I checked the permissions there, they were also 0600 and owner was root. So I did the same to the twofactor_duo directory and changed it to 0777 (also likely not advised) and owner/group to www-data.

After changing the permissions there I ran this one last time from within the nextcloud directory

sudo -u apache php occ integrity:sign-app --path apps/twofactor_duo --privateKey etc/ssl/twofactor.key --certificate etc/ssl/twofactor.crt

Successfully signed “apps/twofactor_duo”

Signed out, signed back in, success!

shahar3000 · ‎05-07-2022

In case anyone is interested, there is this fork of the github repo in the original post: GitHub - srolfe/twofactor_duo: Experimental Duo two-factor auth provider for Nextcloud
I used this fork as is, without changing anything in nextcloud itself (beside the config part) and it works out of the box. I use nextcloud 23.0.3.

In duo, I pressed protect an application and chose Web SDK type