syspass / plugin-authenticator Goto Github PK

Hello!

I'm trying to use the authenticator plugin in a docker-compose setup with Syspass 3.1.2. Based on the docker-compose.yml file in the documentation, it looks like this:

version: '2'
services:
  app:
    container_name: syspass-app
    image: syspass/syspass:3.1.2
    restart: always
    ports:
      - "80"
      - "443"
    links:
      - db
    volumes:
      - syspass-config:/var/www/html/sysPass/app/config
      - syspass-backup:/var/www/html/sysPass/app/backup
    environment:
      - COMPOSER_EXTENSIONS=syspass/plugin-authenticator:^2.1
  db:
    container_name: syspass-db
    restart: always
    image: mariadb:10.2
    environment:
      - MYSQL_ROOT_PASSWORD=syspass
    ports:
      - "3306"
    volumes:
      - syspass-db:/var/lib/mysql

volumes:
  syspass-config: {}
  syspass-backup: {}
  syspass-db: {}

During startup of the syspass-app container, however, I see log messages like these:

syspass-app | setup_composer_extensions: syspass/plugin-authenticator:^2.1
syspass-app | ~ /var/www/html
syspass-app | run_composer: Running composer
syspass-app | ./composer.json has been updated
syspass-app | Loading composer repositories with package information
syspass-app | Updating dependencies
syspass-app | Your requirements could not be resolved to an installable set of packages.
syspass-app | 
syspass-app |   Problem 1
syspass-app |     - The requested package phpseclib/phpseclib (locked at 2.0.21, required as ~2.0.25) is satisfiable by phpseclib/phpseclib[2.0.21] but these conflict with your requirements or minimum-stability.
syspass-app |   Problem 2
syspass-app |     - The requested package php-di/php-di (locked at 6.0.9, required as ~6.0.11) is satisfiable by php-di/php-di[6.0.9] but these conflict with your requirements or minimum-stability.
syspass-app | 
syspass-app | Running update with --no-dev does not mean require-dev is ignored, it just means the packages will not be installed. If dev requirements are blocking the update you have to resolve those problems.
syspass-app | 
syspass-app | Installation failed, reverting ./composer.json to its original content.

It seems like the dependencies specified in either composer.json or composer.lock don't agree with each other between the authenticator and Syspass itself?

What's interesting is that if I switch to version 3.1.1 of Syspass (image: syspass/syspass:3.1.1), everything seems to work fine:

syspass-app | setup_composer_extensions: syspass/plugin-authenticator:^2.1
syspass-app | ~ /var/www/html
syspass-app | run_composer: Running composer
syspass-app | ./composer.json has been updated
syspass-app | Loading composer repositories with package information
syspass-app | Updating dependencies
syspass-app | Package operations: 3 installs, 0 updates, 0 removals
syspass-app |   - Installing syspass/extension-installer-plugin (dev-master 84775dd): Cloning 84775ddce1 from cache
syspass-app |   - Installing bacon/bacon-qr-code (1.0.3): Downloading (100%)         
syspass-app |   - Installing syspass/plugin-authenticator (v2.1.0): Downloading (100%)         
syspass-app | Package jeremeamia/SuperClosure is abandoned, you should avoid using it. Use opis/closure instead.
syspass-app | Writing lock file
syspass-app | Generating optimized autoload files
syspass-app | /var/www/html

Would it be possible to update the authenticator plugin and release a new version that's compatible with the Syspass 3.1.2 release?

Hi,
after the installation of your plugin, the qr code isn't displayed as the screen attached.
No error inside the log and moving the mouse over the "image" the cursor change from arrow to a different: in my opinion don't works the rendering of qr code.
The syspass-ap is the latest 3.2.2.
I added the line
- COMPOSER_EXTENSIONS=syspass/plugin-authenticator:^v2.2
into docker-compose.yml

I found the following lines during the update of the container:

1 package suggestions were added by new dependencies, use `composer suggest` to see details.
Package jeremeamia/superclosure is abandoned, you should avoid using it. Use opis/closure instead.
Package fzaninotto/faker is abandoned, you should avoid using it. No replacement was suggested.
Package phpunit/dbunit is abandoned, you should avoid using it. No replacement was suggested.
Package phpunit/php-token-stream is abandoned, you should avoid using it. No replacement was suggested.
Package phpunit/phpunit-mock-objects is abandoned, you should avoid using it. No replacement was suggested.
Generating optimized autoload files
Class SP\Tests\SP\Services\UserGroup\UserToUserGroupServiceTest located in ./tests/SP/Services/UserGroup/UserToUserGroupServiceTest.php does not comply with psr-4 autoloading standard. Skipping.
Class SP\Tests\SP\Services\UserGroup\UserGroupServiceTest located in ./tests/SP/Services/UserGroup/UserGroupServiceTest.php does not comply with psr-4 autoloading standard. Skipping.
Class SP\Tests\SP\Services\User\UserServiceTest located in ./tests/SP/Services/User/UserServiceTest.php does not comply with psr-4 autoloading standard. Skipping.
Class SP\Tests\SP\Services\UserProfile\UserProfileServiceTest located in ./tests/SP/Services/UserProfile/UserProfileServiceTest.php does not comply with psr-4 autoloading standard. Skipping.
Class SP\Tests\SP\Services\UserPassRecover\UserPassRecoverServiceTest located in ./tests/SP/Services/UserPassRecover/UserPassRecoverServiceTest.php does not comply with psr-4 autoloading standard. Skipping.
Class SP\Tests\SP\Repositories\UserToUserGroupRepositoryTest located in ./tests/SP/Repositories/UserToUserGroupRepositoryTest.php does not comply with psr-4 autoloading standard. Skipping.
Class SP\Tests\Repositories\UserGroupRepositoryTestCase located in ./tests/SP/Repositories/UserGroupRepositoryTest.php does not comply with psr-4 autoloading standard. Skipping.
Class SP\Tests\SP\Util\UtilTest located in ./tests/SP/Util/UtilTest.php does not comply with psr-4 autoloading standard. Skipping.
Class SP\Tests\SP\Core\Acl\AclTest located in ./tests/SP/Core/Acl/AclTest.php does not comply with psr-4 autoloading standard. Skipping.
Class SP\Tests\SP\Core\Crypt\SecureKeyCookieTest located in ./tests/SP/Core/Crypt/SecureKeyCookieTest.php does not comply with psr-4 autoloading standard. Skipping.
Class SP\Tests\SP\Core\Crypt\HashTest located in ./tests/SP/Core/Crypt/HashTest.php does not comply with psr-4 autoloading standard. Skipping.
Class SP\Tests\SP\Core\Crypt\CryptPKITest located in ./tests/SP/Core/Crypt/CryptPKITest.php does not comply with psr-4 autoloading standard. Skipping.

Hi,
I using syspass 3.0 with some information as picture.

Based on document the plugin-authenticator version 2.1 should be used. But after installed version 2.1 successful.

the server internal error 500 happened.

and found some http error-log like this:

Could you please tell me which version should I use for my environment?

Thank you so much,

Br

Hello can you give me a step by step to install you plugin please, for docker-compose 3.1.2

thanks a lot

Would it be possible to add a policy to force all users or users in a group to use 2FA?
Thanks

I have backed up and restored an existing SysPass to a new instance. 2FA is working on the original instance but on the new instance, when I try to enable 2FA and enter the code, it always comes back with "Wrong Code".

I have tried disabled and re-enabling the plugin, resetting the plugin data and using different auth apps all with the same result.

No errors in the SysPass.log.

Google Chrome web browser.

Hello team,
I have enabled 2FA and was using it to login to syspass.

However I lost my cell phone and had to reinstall it from backup on a new phone.

When trying to login to syspass, 2FA gives "wrong code" error. Since I am the administrator and hence I cant login at the moment I dont know how to disable 2FA to change/re-enable google authenticator.

Can someone please help me how to disable 2FA within shell/config file/database etc. to re-scan QR code. Thank you for your helps in advance.

Regards,
Emre.

Installation on last release syspass, php7.1 on centos 7.6
Package phpunit/phpunit-mock-objects is abandoned, you should avoid using it. No replacement was suggested.
Package phpunit/dbunit is abandoned, you should avoid using it. No replacement was suggested.

Hi,

Firstly, thank, Syspass is awesome,

And I got a question,

Do you think it's possible to authenticate with a device like Smartcard ?

We use Yubikey in enterprise, it's secure, but on syspass connected to LDAP we have to use our password, do you think one day it could be possible to use a syspass with a smartcard?

I think it is possible to use a security key by Yubico

Thank in advance,

Hello,

I have problem with Authenticator ( in Syspass 3.2, Authenticator 2.2.1).
When I enable Authenticator in Plugins, I see in User prefereneces only text "Class 'BaconQrCode\Renderer\Image\Png' not found" nothing else.
When I disable Autheticator in Plugins, It works good, I could set some User preference.
Please how I solve this problem?

Thnaks

Hey,

I dockerized syspass-app and add Authenticator plugins. But each time the app said the code is not available. Any idea ?

Hello,

We just start with this project and we install a fresh copy of the server with composer. After we use composer to list the available package (composer suggest) and pick league/oauth2-google, install dependency and everything go fine. Login with admin, enable the plugin, create a test user, connecting with the test user, edit the profile for enabling 2FA, scan QR code and activate it, logout and try to login and get this error
There was an error
SyntaxError: Unexpected token C in JSON at position 0

Call to undefined method SP\Core\Events\EventMessage::getData()

Do you have any idea ?

Thanks !

I have a problem with the installation of the authenticator plugin

In my docker-compose.yml I've added following lines:
COMPOSER_EXTENSIONS=syspass/plugin-authenticator:^v2.0

When I build the container then I become following error:

The requested PHP extension ext-xdebug * is missing from your system. Install or enable PHP's xdebug extension.

Do you have a solution for this problem?

Thanks

update syspass to the latest release 2.1.12 and also the Authenticator plugin 1.1.0.
I like the feature about getting a temporary code emailed, the issue is that once i log in i want to disable the 2 factor authentication but i get an error saying i need to enter a code. How would a disable the two factor ? Was the plug in suppose to disable the two factor ?

Please advice, thanks!

Hi,

We have an issue, when we try to update any account is already existing when we click on save button nothing happen.

We have ; 2.1 (2.1.16.18061901)

Using One Time Password to login seems mandatory for sufficient security.

But when you have to connect 15 times a day, it's tedious ...

It would be very convenient to be able to authorize the connection without OTP for x minutes or hours after a first connection on the same browser, as can be seen in most web applications that use OTP.

Thank you

Hello,

we've decided to force 2fa for all the syspass users in the company. Some users, however, started complaining that they cannot enable 2fa in the profile settings. They toggle the switch, scan the QR code and write down the verification code. After hitting save, they get the green bar "preferences saved" but 2fa gets immediatelly disabled again and a new QR code is displayed.

I have tracked the problem down to a DB schema deficiency. The column plugin_data under the table plugins is defined as VARBINARY(5000). Since each user settings consumes about 600B (recovery codes take a lot), after about 8-10 users one hits the column size limit and all successive MySQL save queries start to fail. The problem is even more anoying since if the query fails, the exception is turned into false return in savePluginUserData and the user only gets one green bar instead of two (but no error message). So he/she is unaware of the saving problem. The solution at the moment was to update the column definition to VARBINARY(32768) but this is only a short-term solution. As the number of users can grow to hundreds, this storage schema will not scale (since VARBINARY is capped to 65k, I believe).

sidenote: Why is there a use2fa field under the usrData table which is always set to 0 when there is a complete settings under plugins?

Best regards,

David Fabian

I copied the Material Blue theme and changed some css colours, then installed the MFA plugin, but it doesn't work if the copied theme is active.

Hi

After getting sent the recovery code, i'm redirected to:

authenticator/checkCode/undefined

to a 404 not found...

Please advice

Hello,
since there isnt an option yet to enforce the 2FA on users, we thought to enforce it "manually" and check that everyone will not disable it by making an alert on our remote syslog at a given event like "user edited the 2FA" or "user removed it".
I know there is an event called "show.userSettings" but that is generated everytime a user click or edit a generic setting, not only the 2FA.

My question: is there a specific event that tells when a user makes a change in the 2FA?
If not it would be great if it will be implemented in the future releases.

Thank you for the hard work on syspass, its really a great tool 👍

Regards

add support for syspass 3.2 please

Is there any way to redefine the user account when he loses his device that saves the authenticator of Google authenticator?

Hi,
I cannot use the Plugin. I hit "aktivate" and syspass answers, it's avtivated.
But when I hit "show plugin" i get the following Error Message:

SyntaxError: JSON.parse: unexpected character at line 2 column 1 of JSON data

I use the download from the master-branch.
Here are my version numbers:

sysPass Version
3.1-RC2 (310.19043001)                         
Config: 310.19043001                         
App: 310.19043001                         
DB: 310.19043001
--
Datenbank
SERVER_VERSION : 5.5.60-MariaDB                                             
CLIENT_VERSION : mysqlnd 5.0.12-dev - 20150407 - $Id: 7cc7cc96e675f6d72e5cf0f267f48e167c2abb23 $                                             
SERVER_INFO : Uptime:  6499967  Threads: 1  Questions: 794816  Slow queries: 0  Opens: 158   Flush tables: 2  Open tables: 53  Queries per second avg: 0.122                                              
CONNECTION_STATUS : Localhost via UNIX socket                                         
Name: syspass@localhost
--
PHP
Version: 7.3.5                         
--
Server
Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.5

Thanks for your help :)

Is this plugin still in development? It seems like it has been abandoned

I installed the Plugin and enabled it in my environment, but I was unable to activate this function in users.
Does anyone know how to activate?

Hello,

I have just upgraded syspass to the newest version and everything seems to work fine except for the 2fa plugin. After installing the v2 version and enabling it in the admin menu, nobody is able to log in because the 2fa plugin outputs internal error on every log in attempt.

The reason for this is a change in IV processing for existing users/configurations. When the user attempts to verify a PIN, syspass will load the corresponding IV from the DB. In the old version, this raw IV is then encoded using Base2N and then passed to the google authentication. In the new version, the raw IV is sent directly to the google authenticator which raises an exception (Google2FA.php, line 100) since the raw IV contains invalid base32 characters, e.g. 5718d5e75278.....d3dfbdd4c9a.

To fix this, one has to emulate the old behavior and add this to AuthenticatorService.php:

    public static function verifyKey(string $key, string $iv)
    {
        $base32 = new Base2n(
            5,
            'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567',
            false,
            true,
            true
        );
        $iv = substr($base32->encode($iv), 0, 16);
        return Google2FA::verify_key($iv, $key);
    }

After this change to verifyKey(), everything starts working.

Best regards,

David Fabian

Combining the newest master branch of nuxsmin/sysPass@a2858ed and sysPass-Plugins 6bc9937 gives me this error:

PHP Warning:  require(/var/www/html/syspass/inc/Plugins/LICENSE/LICENSEPlugin.class.php): failed to open stream: No such file or directory in /var/www/html/syspass/inc/SplClassLoader.php
PHP Fatal error:  require(): Failed opening required '/var/www/html/syspass/inc/Plugins/LICENSE/LICENSEPlugin.class.php' (include_path='.:/usr/share/php') in /var/www/html/syspass/inc/SplClassLoader.php on line 173

I'm running syspass v3 rc4 without issue without docker, but when I try to add this plugin with composer I get the following issue and syspass breaks until I delete the Authenticator folder in plugins.

https://pastebin.com/raw/Jann1t1D

is it me doing something wrong?

Hi,
I was trying this out to see how well it would work, running the latest syspass available on docker hub (3.2.11), but it fails due to php being too old:

[Wed Sep 28 04:18:26.470977 2022] [php7:error] [pid 905] [client ] PHP Fatal error: Composer detected issues in your platform: Your Composer dependencies require a PHP version ">= 7.4.0". You are running 7.3.31-1~deb10u1. in /var/www/html/sysPass/vendor/composer/platform_check.php on line 24

Being the type of person I am, I disabled the check and everything works fine, but out of the box it doesn't seem to work currently.

Hello,

the pin input should have autofocus enabled when the 2fa plugin requests a PIN. It is inconvenient to use mouse to focus the field and then start typing. Simply adding the autofocus attribute to the element is enough, I think.

Best regards,

David Fabian

Hi,

1. How enable MFA if the MFA plugin is installed on sysPAss for users?
2. How can we test that the MFA plugin is installed and configured correctly?

Many thanks.

Hola,
he conseguido instalar el plugin en sysPass 3.1 pero no soy capaz de ver como debo de configurar.

Instalar plugin-authenticator

apt-get install php7.2-xdebug
service apache2 restart

cd /var/www/html/syspass
php composer.phar require syspass/plugin-authenticator:^v2.1

Una vez instalado lo he activado, entiendo que debería de aparecer algún código Qr pero no se donde buscarlo. En el apartado usuario no veo ninguna nueva opción.

Pueden ayudarme?
Gracias.

Hello.

Tried install plugin with php composer.phar require syspass/plugin-authenticator:^v2.1, but have an error

    - The requested package phpseclib/phpseclib (locked at 2.0.21, required as ~2.0.25) is satisfiable by phpseclib/phpseclib[2.0.21] but these conflict with your requirements or minimum-stability.
  Problem 2
    - The requested package php-di/php-di (locked at 6.0.9, required as ~6.0.11) is satisfiable by php-di/php-di[6.0.9] but these conflict with your requirements or minimum-stability.


Installation failed, reverting ./composer.json to its original content.

Also tried install with php composer.phar require --no-update syspass/plugin-authenticator, but no any plugins appear in Syspass plugins tab.

What I'm doing wrong? Thanks in advance.

It would be useful to be as inclusive as possible in this plugin description.

By indicating only that it works "with Google Authenticator" this may give the impression it only works with GA.

Other applications that this may work with, as I understand it, are KeepassXC, AndOTP, etc.

I would propose "Plugin to add two factor authentication (2FA) support to sysPass login for applications that implement Time-based One-time Password Algorithm (TOTP) as specified in RFC 6238.

This has been tested with AndOTP, KeepassXC, Google Authenticator."

... or similar

I noticed that when installing the plugin, users who are using the pt-br language (Portuguese) do not see the QR Code. It goes blank. When changing to English again, the QR Code is displayed when refreshing the page.

I searched and didn't find any similar topic on the internet, is there any fix?

Hi,

i tried to install this to the v3 version but it does not work. What i did:

cd /var/www/vhosts/pw.THEDOMAIN.de/app/modules/web/plugins
git clone https://github.com/nuxsmin/sysPass-Plugins.git
cd sysPass-Plugins
mv * ../
cd ..
rm -rf sysPass-Plugins
cd ..
chown -R www-data:www-data plugins
chmod -R 750 plugins

i gues this does not work due to some structural changes right?

regards, Mario

I copied the "Authenticator" folder to the "Plugins" folder on the sysPass server however it is still saying that there are no loaded plugins when I look at the "Information" tab in Configuration.

According to your Plugins page (https://doc.syspass.org/en/application/plugins.html), it states that there needs to be a lowercase authenticator.po file but I don't see that in the zip file that I downloaded from Github.

The text field retains the previously used code.
It would probably be better to prevent it.
autocomplete="off" ??

Hi,

I try to install this plugin but it throw me an error everytime.

version: '2' services: app: container_name: syspass-app image: syspass/syspass:3.2.1 restart: always ports: - "8282:80" - "8383:443" links: - db volumes: - ./data/syspass-config:/var/www/html/sysPass/app/config - ./data/syspass-backup:/var/www/html/sysPass/app/backup environment: - USE_SSL=yes - COMPOSER_EXTENSIONS=syspass/plugin-authenticator:^v2.2 db: container_name: syspass-db restart: always image: mariadb:10.2 environment: - MYSQL_ROOT_PASSWORD=syspass ports: - "3306" volumes: - ./data/syspass-db:/var/lib/mysql

`entrypoint: Starting with UID : 9001
setup_app: Setting up permissions
setup_composer_extensions: syspass/plugin-authenticator:^v2.2
~ /var/www/html
run_composer: Running composer
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

Problem 1
- Installation request for syspass/extension-installer-plugin v2.0.0 -> satisfiable by syspass/extension-installer-plugin[v2.0.0].
- syspass/extension-installer-plugin v2.0.0 requires composer-plugin-api ^2.0 -> no matching package found.
Problem 2
- syspass/plugin-authenticator v2.2.0 requires syspass/extension-installer-plugin ^2.0 -> satisfiable by syspass/extension-installer-plugin[v2.0.0].
- syspass/plugin-authenticator v2.2.1 requires syspass/extension-installer-plugin ^2.0 -> satisfiable by syspass/extension-installer-plugin[v2.0.0].
- syspass/extension-installer-plugin v2.0.0 requires composer-plugin-api ^2.0 -> no matching package found.
- Installation request for syspass/plugin-authenticator ^v2.2 -> satisfiable by syspass/plugin-authenticator[v2.2.0, v2.2.1].

Potential causes:

• A typo in the package name - The package is not available in a stable-enough version according to your minimum-stability setting
  see https://getcomposer.org/doc/04-schema.md#minimum-stability for more details.
• It's a private package and you forgot to add a custom repository to find it
  Read https://getcomposer.org/doc/articles/troubleshooting.md for further common problems.
  Running update with --no-dev does not mean require-dev is ignored, it just means the packages will not be installed. If dev requirements are blocking the update you have to resolve those problems.

Installation failed, reverting ./composer.json to its original content.`

Could you help me on this ?

Regards,

Hey,
first of all a big thx for this cool tool. I have started playing around an for my small company all features are given.

Just a small enhancemend would be a cool new feature: storing OTP passwords in account's. I would DONATE for this feature ;-)

thx & regards