loki36 / user-otp Goto Github PK
View Code? Open in Web Editor NEWOTP Backend for owncloud
OTP Backend for owncloud
When any other authentication method than "Standard authentication" is chosen. The ownCloud User in the User Menu disappear.
Hi,
Great work on this plugin! It took me a few minutes to get this to work with my Yubikey NEO (http://www.yubico.com/products/yubikey-hardware/yubikey-neo/ - but should work with any other Yubikey as well). The USB key acts as a keyboard and generates a OTP upon pressing a button, following the HOTP standard. Google is running trials in their offices with this method of two-factor authentication, I'm expecting this to take off soon.
One change is required to get this plugin to work with the Yubikey: allow prefix PINs of arbitrary length and with arbitrary characters. Every Yubikey has a (configurable) prefix, which contains letters and numbers, and is much longer than 4 characters by default. Example prefix: aabb23168389. This prefix, followed by the 6 or 8 digit OTP is "typed" by the Yubikey upon pressing its button.
For the time being, I patched my user_otp/lib/otp.php to only consider the last 8 digits of the provided OTP password.
Another suggestion: allow for a hex-based input of the HOTP secret (seed), rather than just base32. The Yubikey configuration software accepts its secrets in hex, being able to enter the HOTP secret in hex in ownCloud would smoothen the integration.
Cheers,
Bas
js/utils.js needs to use root path of owncloud installation for referencing password.svg
js/util.js e.g.
<label class="infield" for="otpPassword">One Time Password</label><img id="password-icon" class="svg" alt="" src="/owncloud/core/img/actions/password.svg">
left: 1.25em;
opacity: 0.3;
position: absolute;
top: 1.65em;
}
'-> top -> change to 1.1em, then it's properly aligned...
While the admin config works out fine, logged in as a user, I get a database error in my postgres log:
2014-02-22 17:21:32 CET ERROR: invalid byte sequence for encoding "UTF8": 0x89
2014-02-22 17:21:32 CET STATEMENT: UPDATE "oc_user_otp" SET "request_prefix_pin" =$1,"algorithm" =$2,"token_seed" =$3,"user_pin" =$4,"number_of_digits" =$5,"time_interval" =$6,"last_event" =$7,"last_login" =$8,"error_counter" =$9,"locked" =$10,"qrcode" =$11 WHERE "user"=$12
Refreshing the user settings, I can see that the OTP config was supposedly added (a clue that there's an issue is that no QR code shows - just a broken image icon), but if I log out and try to login again, it prevents you from getting in presenting you with some qrcode related error.
I initially tried it with the master branch, but using the dev branch didn't help (even after I dropped the oc_user_otp table and any settings of the plugin from the oc_appinfo table.
Is there any additional information I can provide to help identify the issue?
I get the following error when I activate two-factor authentication as authenticator method. There is also no OTP Field displayed at login.
Error - PHP - Undefined index: PATH_INFO at /var/www/html/owncloud/apps/user_otp/lib/otp.php#256
it would be nice to be able to set an own "accuracy", meaning that I can set how many codes are checked, in my case I'd only need the code right now+2 before and after each... (TOTP) and in case of HOTP that I'd be able not to check a hundred codes but maybe only 50 or sth. (dont know the defaults...
link to #44 in file app.php
On the user > personal page, I cannot seem to change my password at all. When entering the correct current and a new password, clicking on "change password" just gives me a "wrong password" message. I've made sure that the password hasn't been changed.
This applies to user and admin. I haven't checked a user without OTP enabled.
So right now I can only set a new password via the admin > users screen.
I've just installed user-otp in OC 6.0.0a running with lighttpd on debian7 and it seems it doesn't work for me.
OTP Configuration in the admin panel seemed to be working.
If you are using the app in an owncloud installation which uses postgresql as database you get the following error if you tried to activate otp for a user:
2013-10-24 20:00:38 CEST ERROR: syntax error at or near "user" at character 28
2013-10-24 20:00:38 CEST STATEMENT: INSERT INTO "oc_user_otp" (user,request_prefix_pin,algorithm,token_seed,user_pin,number_of_digits,time_interval,last_event,last_login,error_counter,locked) VALUES($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11)
It seems that the parameters of the sql statement are not replaced correctly
there is no error during the installation and configuration of the apps as admin. The database table user_otp is created too.
if you have it set to "Two-factor authentication (User needs password AND OTP to connect, if user is in the OTP db file)" user can login once, delete the UserTokenQrCode, and then login with only password.
suggestion might be to replace the delete option (under UserTokenQrCode) for users, with a change option, that would generate a new QR code, so they can't disable OTP by themselves..
Even if one chooses the HOTP Algorythm. It says "TOTP Configuration" on the Personal Settings page. Maybe it does not make a difference, but then it should just be named "OTP Configuration"
see #44
User Algorithm (TOTP/HOTP) should be a dropdown button where you only can choose from those to values since there are only 2 algorithms to choose from. It decrease possible configuration failures.
when activating the apps, it goes "blank". The apache error log says:
PHP Fatal error: Call to a member function isCached() on a non-object in /var/www/owncloud/apps/user_ldap/user_ldap.php on line 144
Even if a different value is chosen e.g. 8 it creates a 6 digit pin and one cannot login.
When "Standard OR OTP authentication" is chosen, one can login and logout with every new token createt. When set to "Replace password by OTP" one can only login once and cannot login immediatly with the next OTP pin and gets the error:
ERROR: Token delayed (too many tries, but still a hope in a few minutes)
Hello,
I've this error when I create the QRCode il the personnal page:
gd-png: fatal libpng error: Invalid number of colors in palette
After that, everything work, but I'm not able to see the QRCode.
Thanks for your help.
Provide a button that automatically generates the "Encryption Key", maybe with an Option to choose the length. Default value could be 32 for example. If the User doesn't want this he still can choose his own key
Wanted to use One Time Password, but when switching to 2-step verification and trying to login I got these error:
ERROR: Unable to write the changes in the file
In which file does he want to write with which user?
Any help would be appreciated.
Best regards from Germany
Sascha
For years I've been using OTP with ebay and they allow you to enter your regular password followed by the OTP in the same field. That allows you to enter both in one go without the need for a separate OTP field or another page with a separate field to enter the OTP.
Would it be possible for you to add this as an extra option? That way I could require OTP on my owncloud without giving away that my server does use OTP (which might lead a possible attacker to try hacking the webdav access instead of wasting their time on the the web login.
Activating "Replace password by OTP" or "Two factor authenticator" disables the ability to sync via CardDAV/CalDAV/WebDAV.
Hi,
It's not quite clear what the plugin's HOTP event window is. It's probably dictated by multiotp? I'd like to be able to configure that in the administrator interface.
Thanks!
Bas
When user-otp app is installed, it becomes impossible to set an email for the account. This is very important if you want to use mozilla sync app, which requires to set an email in the personal settings page. What I did is disable user-otp app, set an email and enable user-otp app again. Using this workaround I have been able to use mozilla sync app.
Hope this gets fixed in the next release.
Best!
What happens if on does not set an "Encryption Key" or an "User Token Seed"? Does MultiOTP create a random one by itself? If that would be the case then Issue #18 wouldn't be necessary. Just an explanation like: "(if left blank, it will be generated automatically)"
I can't set OTP for Users using the web interface, it says "Route "isadmin" does not exist."
Thanks
Instead I get a white page.
Edit:
Now it reloads but I had to disable the Antivirus plugin.
I had already set the login to require, both the regular password and OTP. When I tried to login as admin to change that setting, I wasn't able to get in without the OTP even though my admin user had not yet been set up with OTP. It required me to enter a OTP. Is there a special OTP that you need to enter if OTP isn't set up for that user?
I was able to change the authMethod setting back with a database edit which allowed me to get back in.
I verified in the admin personal settings that no OTP was set up. I also double checked the database. There user_otp table doesn't contain the admin user.
If a value other than 30 is chosen one cannot login.
When using 2 Factor Authentication is set the icon is not shown when ownCloud gets accessed from a subdomain. e.g. cloud.my.domain instead of www.my.domain/owncloud/
in the utils.js file this line needs to be changed from:
src="/owncloud/core/img/actions/password.svg"
to:
src="/core/img/actions/password.svg"
Create a page for admin with the list of all users with OTP
I added the .htaccess file to prevent direct access to the .db file and the QR-Code. But this is bogus security, furthermore the QR-Code wont be displayed on the Personal Settings page. The only secure way to do this would be, to store the image and the values from the .db file in the ownCloud database.
If click on "Create" on my personal page under "OTP Configuration" nothing happens (only site is reloading)
if I left the input field blank it doesn't generate a token seed, nor something happen if I insert a token seed
it also doesn't threw a warning/error in the log: http://abload.de/img/20140218-122857s4jcl.png
clarify admin page parameters for HOTP
see #34
How long is the waiting time before one can login again after a wrong token has been used?
e.g. What does "User Prefix Pin" mean and why should I use it? What does "Max Block Failures" mean?
Hi,
I have installed and have activated OTP, on Owncloud 6.0.3.
I am seeing lots of timezone related errors
Error PHP date_default_timezone_set(): Timezone ID '' is invalid at /var/www/owncloud/apps/user_otp/3rdparty/multiotp/multiotp.class.php#3759 2014-05-21T20:50:11+00:00
Error PHP Undefined index: timezone at /var/www/owncloud/apps/user_otp/3rdparty/multiotp/multiotp.class.php#3756 2014-05-21T20:50:11+00:00
Error PHP Undefined index: display_log at /var/www/owncloud/apps/user_otp/3rdparty/multiotp/multiotp.class.php#2504 2014-05-21T20:50:11+00:00
Error PHP Undefined index: debug at /var/www/owncloud/apps/user_otp/3rdparty/multiotp/multiotp.class.php#2499 2014-05-21T20:53:45+00:00
Error PHP Undefined index: log at /var/www/owncloud/apps/user_otp/3rdparty/multiotp/multiotp.class.php#2494 2014-05-21T20:53:45+00:00
Error PHP Undefined index: backend_type_validated at /var/www/owncloud/apps/user_otp/3rdparty/multiotp/multiotp.class.php#1996 2014-05-21T20:53:45+00:00
Error PHP date_default_timezone_set(): Timezone ID '' is invalid at /var/www/owncloud/apps/user_otp/3rdparty/multiotp/multiotp.class.php#3759 2014-05-21T20:50:11+00:00
Error PHP Undefined index: timezone at /var/www/owncloud/apps/user_otp/3rdparty/multiotp/multiotp.class.php#3756 2014-05-21T20:50:11+00:00
Error PHP Undefined index: display_log at /var/www/owncloud/apps/user_otp/3rdparty/multiotp/multiotp.class.php#2504 2014-05-21T20:50:11+00:00
Error PHP Undefined index: debug at /var/www/owncloud/apps/user_otp/3rdparty/multiotp/multiotp.class.php#2499 2014-05-21T20:50:11+00:00
Error PHP Undefined index: log at /var/www/owncloud/apps/user_otp/3rdparty/multiotp/multiotp.class.php#2494 2014-05-21T20:50:11+00:00
Error PHP Undefined index: backend_type_validated at /var/www/owncloud/apps/user_otp/3rdparty/multiotp/multiotp.class.php#1996 2014-05-21T20:50:11+00:00
Error PHP date_default_timezone_set(): Timezone ID '' is invalid at /var/www/owncloud/apps/user_otp/3rdparty/multiotp/multiotp.class.php#3759 2014-05-21T20:50:11+00:00
Any thoughts about this issue. I have the timezone set correctly in php.ini. Here is my system info;
OS Debian Wheezy 32bit
MySQL 5.5.37
PHP 5.4.4-14+deb7u9
Apache 2.2.22
Cheers
Lee
In the dev branch you changed the way user token seed are created. Now they only contain numbers. I can't argue how in-/secure this might be. Apparently you do this because "android token" cant handle other characters.
Wouldn't it be better to have a check-box for "android token"? When checked it only creates numeric tokens otherwise a token that contains all possible character gets created.
update multiOTP lib with 4.0.4
When one click in the normal ownCloud password-field the cursor is placed beside the password icon. In the OTP-password-field it is placed on top of the password-icon.
Furthermore the ownCloud password-field makes the text "Password" appear in a different color (semitransparent/ light grey).
When pressing "Create" to create a Token a dialog pops open and just says "error"
When the OTP is ON, it´s no posible change the normal password. You need "OFF" the OTP app, change the password and "ON" again
Whilst testing the user-otp app, I wanted to add some additional users to play around with. However, whenever I try to create a new user (ownCloud 6.0.1), ownCloud tells me "The username is already being used". After disabling the user-otp app, the problem disappears and I can create users again.
Luckily, after re-enabling the plugin, it appears to have saved the old OTP configurations (i.e., the oc_user_otp table is not removed on plugin de-activation).
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.