[solved] How configure 2Factor whitelist?

boospy

Hello all,

use here kopano in UCS (Webapp 3.5.5.2276). I installed the google 2Factor plugin. It works fine. But i don’t know how i can exclude the Deskapp.

Quote from the page:
The DeskApp works only without 2FA (configure the Whitelist in the config.php).

Here is the part from the documentaton.

* Whitelist with comma seperated IP addresses or subnets IPv4 and/or IPv6 for login without 2FA
 * Info: If the webserver allows IPv6 and the provider of the user supports IPv6, you have to use
 *       IPv6 in whitelist and every device has another IPv6 address!
 * Examples: '192.168.172.0/24,127.0.0.1' or gethostbyname('uri') or
 *           '2003:d5:b3d9:cf00::/64' or dns_get_record('uri', DNS_AAAA)[0]["ipv6"] . "/64"
 * Standard masks: '/32' (IPv4), '/128' (IPv6)
 */

define('PLUGIN_GOOGLE2FA_WHITELIST', '');

Here are my configline:

define('PLUGIN_GOOGLE2FA_WHITELIST', '77.444.71.138/27,2001:470:1f2a:577::/64,2001:470:729a:ac1::/64,192.168.2.0/26');

I do not understand how can i exclude the Deskapp.

fbartels

To me this reads like you can only whitelist based on an IP and not based on a user agent.

boospy

I thought so already. Is ok :)

marty

@boospy

The plugin creator should check if a client is DeskApp or not.
We have a Boolean in WebApp called: isDeskApp that can be used.
https://stash.kopano.io/projects/KW/repos/kopano-webapp/browse/client/zarafa/Zarafa.js#73

You can add it in (probably) the Zarafa.onReady block https://bitbucket.org/normanth/google2fa/src/225cf6542116f0f51854881431ddf486d5f06136/js/Google2FAPlugin.js#lines-47

So it will only register the plugin for clients that are not DeskApp.

boospy

Ah ok. That would probably have to program someone.

marty

@boospy Contact the plugin maintainer for that.

boospy

norman

Hi,

I am the developer of Google2FA.

The two-factor authentication runs during the login process. At this time, the JavaScript part of the WebApp is not loaded. Therefore it is not possible to use the variable isDeskApp. I was not able to detect the use of the DeskApp based on the server variables (gobal PHP variable $_SERVER - f.e. $_SERVER[HTTP_USER_AGENT]). I would be very happy about any ideas.

Some infos in german:

In der Tat ist es aktuell nur möglich die DeskApp mit aktivierter Zwei-Faktor Authentifizierung (Plugin Google2FA) zu nutzen, wenn man die Whitelist konfiguriert und dann aus dem konfigurierten IP-Bereich heraus auf den Server zugreift.

Bei der privaten Nutzung hat man in der Regel keine feste IP-Adresse und der Server steht außerhalb des lokalen Netzes. Hier hat man die Möglichkeit DynDNS zu nutzen (https://de.wikipedia.org/wiki/Dynamisches_DNS). Bei der Whitelist ist zu beachten, ob IPv4 oder IPv6 verwendet wird - im Zweifel fügt man beide Varianten hinzu:

define('PLUGIN_GOOGLE2FA_WHITELIST', gethostbyname('hier.dns.eintragen') . "," . dns_get_record('hier.dns.eintragen', DNS_AAAA)[0]["ipv6"] . "/64");

Eine Verwendung der Variablen isDeskApp ist nach meinem Verständnis nicht möglich, denn während des Login-Prozesses, wenn die Prüfung der Zwei-Faktor Authentifizierung läuft, ist der Javascript-Teil der WebApp noch nicht geladen. Zudem würde eine Nicht-Registrierung des Plugins bei der Verwendung der DeskApp dafür sorgen, dass man über die DeskApp die Zwei-Faktor Authentifizierung nicht mehr konfigurieren kann.

Anhand der Servervariablen beim Login ist es mir bisher nicht gelungen zu erkennen, ob die DeskApp als Browser verwendet wird - zum Beispiel mit Hilfe von $_SERVER[HTTP_USER_AGENT].

    [HTTPS] => on
    [SSL_TLS_SNI] => www.hierdieurl.de
    [HTTP_HOST] => www.hierdieurl.de
    [HTTP_CONNECTION] => keep-alive
    [HTTP_CACHE_CONTROL] => max-age=0
    [HTTP_UPGRADE_INSECURE_REQUESTS] => 1
    [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
    [HTTP_SEC_FETCH_MODE] => navigate
    [HTTP_SEC_FETCH_USER] => ?1
    [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/ *;q=0.8,application/signed-exchange;v=b3
    [HTTP_SEC_FETCH_SITE] => same-origin
    [HTTP_REFERER] => https://www.hierdieurl.de/webapp/
    [HTTP_ACCEPT_ENCODING] => gzip, deflate, br
    [HTTP_ACCEPT_LANGUAGE] => de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
    [HTTP_COOKIE] => encryption-store-key=b3e843dc510c49731ed437e106ac3859; KOPANO_WEBAPP=fbmb9j08r457sifi4i2e9bqth3
    [PATH] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    [SERVER_SIGNATURE] => <address>Apache/2.4.10 (Debian) Server at www.hierdieurl.de Port 443</address>
    [SERVER_SOFTWARE] => Apache/2.4.10 (Debian)
    [SERVER_NAME] => www.hierdieurl.de
    [SERVER_ADDR] => 83.169.xxx.xxx
    [SERVER_PORT] => 443
    [REMOTE_ADDR] => 84.191.yyy.yyy
    [DOCUMENT_ROOT] => /var/www/html/wordpress.hierdieurl.de
    [REQUEST_SCHEME] => https
    [CONTEXT_PREFIX] => /webapp
    [CONTEXT_DOCUMENT_ROOT] => /usr/share/kopano-webapp
    [SERVER_ADMIN] => norman@hierdieurl.de
    [SCRIPT_FILENAME] => /usr/share/kopano-webapp/index.php
    [REMOTE_PORT] => 56374
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_PROTOCOL] => HTTP/1.1
    [REQUEST_METHOD] => GET
    [QUERY_STRING] => 
    [REQUEST_URI] => /webapp/
    [SCRIPT_NAME] => /webapp/index.php
    [PHP_SELF] => /webapp/index.php
    [REQUEST_TIME_FLOAT] => 1571248933.149
    [REQUEST_TIME] => 1571248933

Vielleicht hat jemand noch eine Idee hierzu…

Gruß, Norman

marty

@norman

Does this change help? https://stash.kopano.io/projects/KD/repos/kopano-deskapp/browse/src/package.json#59

norman

Thanks marty!!! A very good hint!!! That’s exactly the change I needed…

With a new DeskApp version (DeskApp version newer than 2019-05-21, f.e. version 2.4.5) and a change in Google2FA plugin, the two-factor authentication can be disabled when the DeskApp client is used. A first test was successful.

php/plugin.google2fa.php:56ff additional code:

if (strpos($_SERVER[HTTP_USER_AGENT], " KopanoDeskapp/") !== false)
   break;

In the Google2FA configuration file I will create an option to activate this function.
Of course, the activation poses a risk as it offers the opportunity to bypass the two-factor authentication.

I will create a new Google2FA version in the next days.

Thanks, Norman

norman

The new Google2FA version is available:

• Port configuration for MySQL
• Function to use DeskApp without two-factor authentication
• Fix problem with using trusted proxies

https://www.familiethimm.de/google2fa-kopano-zarafa-2-faktor-authentifizierung-2fa-google-authenticator/download-installation/

marty

@norman If you like, you could also make a PR for DeskApp for support for your plugin support.

boospy

@norman Really, really nice! So fast, and works like a charm.

Good work! Thank very much.