06-27-2021 01:01 AM
open and download from
then extract zip to your Nextcloud path at folder [nextcloud_path]/apps/twofactor_duo
=====================================================================
open file [nextcloud_path]/apps/twofactor_duo/appinfo/info.xml
just delete this code
<dependencies>
<php min-version="5.6" max-version="7.1" />
<nextcloud min-version="13" max-version="13" />
</dependencies>
and replace this <category>auth</category>
to
<category>integration</category>
<category>security</category>
=====================================================================
next, open [nextcloud_path]/config/config.php
add this code before );
'twofactor_duo' => [
'IKEY' => 'xxxx',
'SKEY' => 'xxxxx',
'HOST' => 'xxxxx',
'AKEY' => 'xxxx',
],
note: for AKEY use IKEY value
=====================================================================
open this files [nextcloud_path]/lib/public/Authentication/TwoFactorAuth/IProvider.php
under “interface IProvider
” section find all of the public functions and remove the colon and type after the function name
example: change “public function getId(): string;
” to “public function getId();
”. This needs to be done for all six public functions.
=====================================================================
open [nextcloud_path]/lib/public/Authentication/TwoFactorAuth/IProvidesCustomCSP.php
search for “public function getCSP
”. Comment out line and put in “public function getCSP();
”
=====================================================================
open [nextcloud_path]/lib/public/Authentication/TwoFactorAuth/IProvidesCustomCSP.php
search for “public function getCSP
”. Comment out line and put in “public function getCSP();
”
=====================================================================
open [nextcloud_path]/core/Controller/TwoFactorChallengeController.php
search for “return new StandaloneTemplateRe sponse
” and comment out that line, and add this code
$response = new TemplateResponse($this->appName, 'twofactorshowchallenge', $data, 'guest');
if ($provider instanceof IProvidesCustomCSP) {
$response->setContentSecurityPolicy($provider->getCSP());
}
return $response;
=====================================================================
after this try to enable twofactor_duo app, you can do it directly from your Nextcloud Apps or use occ
from cli
cd /nextcloud/path/directory
sudo -u apache php occ app:enable twofactor_duo
=====================================================================
use cli
sudo -u apache php occ integrity:check-core
you will see INVALID_HASH ( Failed integrity check, invalid hash)
just see under detect file with have invalid hash, had expected hash and current hash
open [nextcloud_path]/core/signature.json
find expected hash and then replace with current hash, do it all
=====================================================================
now we must create signature for twofactor_duo
first we must generate key and then crt
sudo openssl genrsa -des3 -out /etc/ssl/twofactor.key 2048
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/ssl/twofactor.key -out /etc/ssl/twofactor.crt
sudo -u apache php occ integrity:sign-app --path apps/twofactor_duo --privateKey /etc/ssl/twofactor.key --certificate /etc/ssl/twofactor.crt
=====================================================================
try to logout and login again
Solved! Go to Solution.
01-23-2022 08:42 AM
I just came back to this and actually got it working with a few changes.
First and foremost for AKEY it should be 40 characters long, so copying IKEY doesn’t work. To generate the AKEY use
dd if=/dev/random count=1 | sha256sum
Copy the output into your config as AKEY
All of the sudo -u apache commands should be changed to sudo -u www-data
After those changes I had a few issues getting the app signed with the 3 commands in the final steps.
What I did here is create the folders /etc/ssl from INSIDE the nextcloud install directory. So in my case they’re at /var/www/nextcloud/etc/ssl.
So then I ran the command modified like this
sudo openssl genrsa -des3 -out /var/www/nextcloud/etc/ssl/twofactor.key 2048
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /var/www/nextcloud/etc/ssl/twofactor.key -out /etc/ssl/twofactor.crt
Now I ran into more issues trying to run the final command. First I was getting etc/ssl/twofactor.key does not exist. Permissions on the 2 generated files were 0600 and owner was root. So I changed the permissions to 0777 (likely not advised) and owner/group to www-data.
Ran the final command and got Error: apps/twofactor_duo/appinfo is not writable.
So I checked the permissions there, they were also 0600 and owner was root. So I did the same to the twofactor_duo directory and changed it to 0777 (also likely not advised) and owner/group to www-data.
After changing the permissions there I ran this one last time from within the nextcloud directory
sudo -u apache php occ integrity:sign-app --path apps/twofactor_duo --privateKey etc/ssl/twofactor.key --certificate etc/ssl/twofactor.crt
Successfully signed “apps/twofactor_duo”
Signed out, signed back in, success!
11-04-2021 06:09 AM
@ardhie I’ve followed all of the steps above.
After logging in, it brings me to a page located at https://myserver/login/challenge/duo showing the word Duo with no other text and no Duo push notification comes in unfortunately.
This is on version 22.2
Any advice?
11-28-2021 07:30 AM
01-23-2022 08:42 AM
I just came back to this and actually got it working with a few changes.
First and foremost for AKEY it should be 40 characters long, so copying IKEY doesn’t work. To generate the AKEY use
dd if=/dev/random count=1 | sha256sum
Copy the output into your config as AKEY
All of the sudo -u apache commands should be changed to sudo -u www-data
After those changes I had a few issues getting the app signed with the 3 commands in the final steps.
What I did here is create the folders /etc/ssl from INSIDE the nextcloud install directory. So in my case they’re at /var/www/nextcloud/etc/ssl.
So then I ran the command modified like this
sudo openssl genrsa -des3 -out /var/www/nextcloud/etc/ssl/twofactor.key 2048
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /var/www/nextcloud/etc/ssl/twofactor.key -out /etc/ssl/twofactor.crt
Now I ran into more issues trying to run the final command. First I was getting etc/ssl/twofactor.key does not exist. Permissions on the 2 generated files were 0600 and owner was root. So I changed the permissions to 0777 (likely not advised) and owner/group to www-data.
Ran the final command and got Error: apps/twofactor_duo/appinfo is not writable.
So I checked the permissions there, they were also 0600 and owner was root. So I did the same to the twofactor_duo directory and changed it to 0777 (also likely not advised) and owner/group to www-data.
After changing the permissions there I ran this one last time from within the nextcloud directory
sudo -u apache php occ integrity:sign-app --path apps/twofactor_duo --privateKey etc/ssl/twofactor.key --certificate etc/ssl/twofactor.crt
Successfully signed “apps/twofactor_duo”
Signed out, signed back in, success!
05-07-2022 12:26 PM
In case anyone is interested, there is this fork of the github repo in the original post: GitHub - srolfe/twofactor_duo: Experimental Duo two-factor auth provider for Nextcloud
I used this fork as is, without changing anything in nextcloud itself (beside the config part) and it works out of the box. I use nextcloud 23.0.3.
In duo, I pressed protect an application and chose Web SDK type
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide