thomascube / roundcube-plugin-kolab-2fa Goto Github PK

Hello,

I have Roundcube 1.3.16 on Debian 10 Buster. I followed the instruction and get the files from 1.3.9 branch. I also added 'twofactor_gauthenticator' in config.inc.php. When logged in to RC/Settings plugin is missing.
Default PHP version on Debian 10 is 7.3.
Could anyone advise what I could have made wrong? Appreciate any advise.

Thanks in advance

I'm using kolab_2fa_drivers set to totp, kolab_2fa_storage set to roundcube.
How do I config the plugin so the generated QR Code in Roundcube becomes valid?
When I scan using my Google Authenticator / Authy app I get a message saying: QR code is invalid.

This is my config.inc.php:

// available methods/providers. Supported methods are: 'totp','hotp','yubikey'
$config['kolab_2fa_drivers'] = array('totp');

// backend for storing 2-factor-auth related per-user settings
// available backends are: 'roundcube', 'ldap', 'sql'
$config['kolab_2fa_storage'] = 'roundcube';

// additional config options for the above storage backend
// here an example for the LDAP backend:
$config['kolab_2fa_storage_config'] = array(
'debug' => false,
'hosts' => array('localhost'),
'port' => 389,
'bind_dn' => 'uid=kolab-auth-service,ou=Special Users,dc=example,dc=org',
'bind_pass' => 'Welcome2KolabSystems',
'base_dn' => 'ou=Tokens,dc=example,dc=org',
// filter used to list stored factors for a user
'filter' => '(&(objectClass=ipaToken)(objectclass=ldapSubEntry)(ipatokenOwner=%fu))',
'scope' => 'sub',
// translates driver properties to LDAP attributes
'fieldmap' => array(
'label' => 'cn',
'id' => 'ipatokenUniqueID',
'active' => 'ipatokenDisabled',
'created' => 'ipatokenNotBefore',
'userdn' => 'ipatokenOwner',
'secret' => 'ipatokenOTPkey',
// HOTP attributes
'counter' => 'ipatokenHOTPcounter',
'digest' => 'ipatokenOTPalgorithm',
'digits' => 'ipatokenOTPdigits',
),
// LDAP object classes derived from factor IDs (prefix)
// will be translated into the %c placeholder
'classmap' => array(
'totp:' => 'ipatokenTOTP',
'hotp:' => 'ipatokenHOTP',
'*' => 'ipaToken',
),
// translates property values into LDAP attribute values and vice versa
'valuemap' => array(
'active' => array(
false => 'TRUE',
true => 'FALSE',
),
),
// specify non-string data types for properties for implicit conversion
'attrtypes' => array(
'created' => 'datetime',
'counter' => 'integer',
'digits' => 'integer',
),
// apply these default values to factor records if not specified by the drivers
'defaults' => array(
'active' => false,
// these are required for ipatokenHOTP records and should match the kolab_2fa_hotp parameters
'digest' => 'sha1',
'digits' => 6,
),
// use this LDAP attribute to compose DN values for factor entries
'rdn' => 'ipatokenUniqueID',
// assign these object classes to new factor entries
'objectclass' => array(
'top',
'ipaToken',
'%c',
'ldapSubEntry',
),
// add these roles to the user's LDAP record if key prefix-matches a factor entry
'user_roles' => array(
'totp:' => 'cn=totp-user,dc=example,dc=org',
'hotp:' => 'cn=hotp-user,dc=example,dc=org',
),
);

// force a lookup for active authentication factors for this user.
// to be set by another plugin (e.g. kolab_auth based on LDAP roles)
// $config['kolab_2fa_check'] = true;

// timeout for 2nd factor auth submission (in seconds)
$config['kolab_2fa_timeout'] = 120;

// configuration parameters for TOTP (uncomment to adjust)
$config['kolab_2fa_totp'] = array(
'digits' => 6,
'interval' => 30,
'digest' => 'sha1',
'issuer' => 'Roundcube',
);

// configuration parameters for HOTP (uncomment to adjust)
$config['kolab_2fa_hotp'] = array(
// 'digits' => 6,
// 'window' => 4,
// 'digest' => 'sha1',
);

// configuration parameters for Yubikey (uncomment to adjust)
$config['kolab_2fa_yubikey'] = array(
'clientid' => '123456',
'apikey' => '',
// 'hosts' => array('api.myhost1.com','api2.myhost.com'),
'use_https' => true, // connect via https if set to true
);

Hi,
It would be nice to be able to generate backup codes if you need to log in and it is not possible to use the 2fa device.

/Anders

OS: Debian 11
Webserver: nginx
PHP Version: 8.0.28
Roundcube: 1.6.1

Log dump:

2023-03-01T11:46:05.012573+01:00 darke roundcube: RcubeUser::write() {"label":"Mobile App (TOTP)","created":xxxxxxxxxx,"secret":"XXXXXXXXXXXXXXXX"}
2023-03-01T11:46:28.211773+01:00 darke roundcube: PHP Warning: Undefined array key "loglevel" in /opt/www/roundcubemail-1.4.1/plugins/kolab_2fa/lib/Kolab2FA/Storage/Base.php on line 85
2023-03-01T11:46:28.212459+01:00 darke roundcube: PHP Warning: Undefined array key "loglevel" in /opt/www/roundcubemail-1.4.1/plugins/kolab_2fa/lib/Kolab2FA/Storage/Base.php on line 85
2023-03-01T11:46:28.212571+01:00 darke roundcube: PHP Warning: Undefined array key "totp:096101dd5ac0aa97b67dae9d" in /opt/www/roundcubemail-1.4.1/plugins/kolab_2fa/kolab_2fa.php on line 317
2023-03-01T11:46:28.212662+01:00 darke roundcube: PHP Warning: Undefined array key "storage" in /opt/www/roundcubemail-1.4.1/plugins/kolab_2fa/lib/Kolab2FA/Driver/Base.php on line 107
2023-03-01T11:46:28.212752+01:00 darke roundcube: RcubeUser::read() totp:xxxxxxxxxxxxxxxxxxxxxxxx
2023-03-01T11:46:28.212834+01:00 darke roundcube: PHP Fatal error: Uncaught TypeError: hash_equals(): Argument #2 ($user_string) must be of type string, int given in /opt/www/roundcubemail-1.4.1/vendor/spomky-labs/otphp/lib/OTP.php:345
2023-03-01T11:46:28.212917+01:00 darke roundcube: Stack trace:
2023-03-01T11:46:28.212998+01:00 darke roundcube: #0 /opt/www/roundcubemail-1.4.1/vendor/spomky-labs/otphp/lib/OTP.php(345): hash_equals()
2023-03-01T11:46:28.213076+01:00 darke roundcube: #1 /opt/www/roundcubemail-1.4.1/vendor/spomky-labs/otphp/lib/TOTP.php(75): OTPHP\OTP->compareOTP()
2023-03-01T11:46:28.213152+01:00 darke roundcube: #2 /opt/www/roundcubemail-1.4.1/plugins/kolab_2fa/lib/Kolab2FA/Driver/TOTP.php(85): OTPHP\TOTP->verify()
2023-03-01T11:46:28.213234+01:00 darke roundcube: #3 /opt/www/roundcubemail-1.4.1/plugins/kolab_2fa/kolab_2fa.php(634): Kolab2FA\Driver\TOTP->verify()
2023-03-01T11:46:28.213316+01:00 darke roundcube: #4 /opt/www/roundcubemail-1.4.1/program/lib/Roundcube/rcube_plugin_api.php(575): kolab_2fa->settings_save()
2023-03-01T11:46:28.213391+01:00 darke roundcube: #5 /opt/www/roundcubemail-1.4.1/program/include/rcmail.php(255): rcube_plugin_api->exec_action()
2023-03-01T11:46:28.213463+01:00 darke roundcube: #6 /opt/www/roundcubemail-1.4.1/index.php(278): rcmail->action_handler()
2023-03-01T11:46:28.213536+01:00 darke roundcube: #7 {main}
2023-03-01T11:46:28.213616+01:00 darke roundcube: thrown in /opt/www/roundcubemail-1.4.1/vendor/spomky-labs/otphp/lib/OTP.php on line 345

Roundcubemail v1.5.2 on Rocky Linux 8

I have the plugin installed at plugins/kolab_2fa,
I copied config.inc.php.dist to config.inc.php (left as default with driver as totp and storage as roundcube),
I installed the required plugins per the README (composer install ....),
I have the plugin added at config/config.inc.php in $config['plugins'] array,
I can add 2nd factor at Settings --> Multi-Factor Auth,
But upon attempt to log in, it does NOT query for the second factor.

What am I missing?

i fixed this plugin by trial and error ages ago but just thought about uploading it to github

https://github.com/iUnstable0/Personal-Knowledgebase/blob/main/tutorials/email-server/roundcube-plugins.md

enjoy

I was able to successfully install the plugin using composer but when i go to the setting page and click on Multi-Factor Auth i get an error that i listed below.

FILE NOT FOUND
The requested resource was not found!
Please contact your server-administrator.
Failed request: /cpsess5784839230/3rdparty/roundcube/index.php?_task=settings&_action=plugin.kolab-2fa

Documentation for this plugin suggests:

How to upgrade this clone:

Execute the synchronise_with_source.sh shell script.

Although there is no more detail on how to run this script.

A perhaps not unreasonable assumption is that, having done composer require ... it should be run from within the
./plugins/kolab_2fa directory.

This script deletes without warning, the contents of the parent directory of which it is run.

I guess it's supposed to be run from within ./plugins/kolab_2fa/lib ? or possibly /plugins/kolab_2fa/bin but bin doesn't seem to be included in the version installed by composer require.

Event then, it nukes any existing config.inc.php (which has, say, the Yubico API key etc in!)

Let's just say I have not had a fun morning.

root@turing:/srv/roundcubemail-1.6.1/plugins# ls -la
drwxr-xr-x  4 root root 4096 Mar 28 12:56 acl
drwxr-xr-x  2 root root 4096 Mar 28 12:56 additional_message_headers
drwxr-xr-x  3 root root 4096 Mar 28 12:56 archive
drwxr-xr-x  3 root root 4096 Mar 28 12:56 attachment_reminder
drwxr-xr-x  2 root root 4096 Mar 28 12:56 autologon
drwxr-xr-x  2 root root 4096 Mar 28 12:56 autologout
drwxr-xr-x  2 root root 4096 Mar 28 13:16 banner_ics
drwxr-xr-x  4 root root 4096 Jun 18  2022 contextmenu
drwxr-xr-x  7 root root 4096 Mar 28 13:16 contextmenu_folder
drwxr-xr-x  2 root root 4096 Mar 28 12:56 database_attachments
drwxr-xr-x  3 root root 4096 Mar 28 12:56 debug_logger
drwxr-xr-x  3 root root 4096 Mar 28 12:56 emoticons
drwxr-xr-x  6 root root 4096 Mar 28 13:19 enigma
drwxr-xr-x  2 root root 4096 Mar 28 12:56 example_addressbook
drwxr-xr-x  5 root root 4096 Mar 28 13:16 fetchmail
drwxr-xr-x  2 root root 4096 Mar 28 12:56 filesystem_attachments
drwxr-xr-x  2 root root 4096 Mar 28 13:16 globaladdressbook
drwxr-xr-x  5 root root 4096 Mar 28 12:56 help
drwxr-xr-x  3 root root 4096 Mar 28 12:56 hide_blockquote
drwxr-xr-x  2 root root 4096 Jan 23 20:03 http_authentication
drwxr-xr-x  2 root root 4096 Mar 28 12:56 identicon
drwxr-xr-x  2 root root 4096 Mar 28 12:56 identity_select
drwxr-xr-x  4 root root 4096 Mar 28 12:56 jqueryui
drwxr-xr-x  2 root root 4096 Mar 28 12:56 krb_authentication
drwxr-xr-x  7 root root 4096 Nov 21  2021 larry
drwxr-xr-x  7 root root 4096 Mar 28 12:56 managesieve
drwxr-xr-x  4 root root 4096 Mar 28 12:56 markasjunk
drwxr-xr-x  3 root root 4096 Mar 28 12:56 newmail_notifier
drwxr-xr-x  3 root root 4096 Mar 28 12:56 new_user_dialog
drwxr-xr-x  2 root root 4096 Mar 28 12:56 new_user_identity
drwxr-xr-x  5 root root 4096 Mar 28 12:56 password
drwxr-xr-x  2 root root 4096 Mar 28 12:56 reconnect
drwxr-xr-x  2 root root 4096 Mar 28 12:56 redundant_attachments
drwxr-xr-x  2 root root 4096 Mar 28 12:56 show_additional_headers
drwxr-xr-x  2 root root 4096 Mar 28 12:56 squirrelmail_usercopy
drwxr-xr-x  3 root root 4096 Mar 28 12:56 subscriptions_option
drwxr-xr-x  4 root root 4096 Jan 17 23:09 twofactor_webauthn
drwxr-xr-x  3 root root 4096 Mar 28 12:56 userinfo
drwxr-xr-x  3 root root 4096 Mar 28 12:56 vcard_attachments
drwxr-xr-x  2 root root 4096 Mar 28 12:56 virtuser_file
drwxr-xr-x  2 root root 4096 Mar 28 12:56 virtuser_query
drwxr-xr-x  3 root root 4096 Mar 28 12:56 zipdownload

root@turing:/srv/roundcubemail-1.6.1/plugins/kolab_2fa# chmod 755 ./synchronise_with_source.sh
root@turing:/srv/roundcubemail-1.6.1/plugins/kolab_2fa# ./synchronise_with_source.sh
fatal: not a git repository (or any of the parent directories): .git
Cloning into '.'...
remote: Counting objects: 41143, done.
remote: Compressing objects: 100% (14876/14876), done.
remote: Total 41143 (delta 29567), reused 33903 (delta 23810)
Receiving objects: 100% (41143/41143), 11.22 MiB | 559.00 KiB/s, done.
Resolving deltas: 100% (29567/29567), done.
Note: switching to 'roundcubemail-plugins-kolab-3.5.9'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at 971c8d71 Bump version
/srv/roundcubemail-1.6.1/plugins/kolab_2fa

:: Done
   Please create latest tag >>roundcubemail-plugins-kolab-3.5.9<<.

root@turing:/srv/roundcubemail-1.6.1/plugins/kolab_2fa# ls -alrt
total 0

root@turing:/srv/roundcubemail-1.6.1/plugins/kolab_2fa# cd ..
root@turing:/srv/roundcubemail-1.6.1/plugins# ls -lart
total 88
drwxr-xr-x 13 root root  4096 Mar 28 13:23 ..
drwxr-xr-x  3 root root  4096 Mar 28 13:29 kolab_2fa
drwxr-xr-x  3 root root  4096 Mar 28 13:29 lib
-rw-r--r--  1 root root  4555 Mar 28 13:29 config.inc.php.dist
drwxr-xr-x  4 root root  4096 Mar 28 13:29 skins
drwxr-xr-x  2 root root  4096 Mar 28 13:29 localization
-rw-r--r--  1 root root 28567 Mar 28 13:29 kolab_2fa.php
-rw-r--r--  1 root root 13058 Mar 28 13:29 kolab2fa.js
-rw-r--r--  1 root root   863 Mar 28 13:29 composer.json
drwxr-xr-x  6  501   80  4096 Mar 28 13:29 .
-rw-r--r--  1 root root  4213 Mar 28 13:29 README.md

... oopsie! Where did all my plugins go? 😒

.. Would suggest the following;

• Document how this script is supposed to be used.
• Build in a sanity check before clobbering the parent directory, e.g. check for an existing config.inc.php or composer.json belonging to the plugin. (e.g. grep -c '"name": "kolab/kolab_2fa"' composer.json) to check.
• Check we're in the directory we're supposed to be in.
• Backup any existing config.inc.php or leave it alone.

I get the error message

Package endroid/qrcode is abandoned, you should avoid using it. Use endroid/qr-code instead.

is this possible already or would this require coding?

I performed the install as directed (git clone, composer install for dependencies and enabling in RC config file), but nothing has shown in the RC settings panel so far.

Questions:

1. Do I need a backend for simple TOTP 2FA (we are using mysql for RC)
2. Do I need to enable or do anything else to get this going?
3. Where are the log files kept for errors and troubleshooting? (I checked RC logs, nothing shows re. this plugin)

I have installed the plugin and it is working fine. However, I need to reset the user preferences to disable the current authentication method. How do I do that?

PHP Fatal error: Uncaught Error: Undefined constant "Kolab2FA\Log\LOG_EMERGE"
in ... rc/plugins/kolab_2fa/lib/Kolab2FA/Log/RcubeLogger.php:66

Fix: change LOG_EMERGE to LOG_EMERG

see also roundcube/roundcubemail#6991

Cheers
Helmut

I know this is not the original repository, but this is what i am currently using (and it doesn't seem sync with kolab's version right now, right?)

Trying to fix a php 8.x warning, eg:
PHP Warning: Undefined array key "kolab_2fa_blob" in \plugins\kolab_2fa\lib\Kolab2FA\Storage\RcubeUser.php on line 175

line 175 reads:
return (array)$prefs[$this->key2property('blob')];

Anyone knows how to get around that messsage being logged?

I would like to enable TOTP for use with Microsoft/Google Authenticator mobile app, using Roundcube 1.4.11 (PHP 7.4, IIS, MS Server 2019)

I installed the plugin, enabled composer and ran composer.phar to install all required 3rd party libraries... everything seems to have worked, no errors returned by composer.phar or in general roundcube error.log

Plugin loads fine in roundcube, but i am unable to verify my 6 char TOTP code, it always returns:

Code verification for Mobile App (TOTP) failed

I tried both Google Authenticator mobile app and Microsoft Authenticator mobile app, both fail with TOTP
console.log doesn't display any error(s)

FYI, HOTP driver works for Google Authenticator mobile app, but not for Microsoft Authenticator mobile app