TOTP doesn't work anymore on OC 10

zubanst · September 18, 2021, 8:10am

Steps to reproduce

TOTP 0.7.2 activated on OC 10.7.0.4 and used for years. All a sudden, I got authentication errors and could not log in to my admin account
I had to log in on console on the server and disable the app for my user ID to go through
Reactivated the app from the web console to get a new QR code to register with FreeOTP, or Google Authenticator.

Expected behaviour

Code verified and and 2FA registred with the app

Actual behaviour

I keep getting ‘Code not verified’, so I cannot use anymore the app

Server configuration

Operating system:
Ubuntu 18.04 LTS
Web server:
Apache 2.4.29
Database:
Mysql 5.7.34
PHP version:
PHP 7.2.24
ownCloud version: (see ownCloud admin page)
10.7.0.4
Updated from an older ownCloud or fresh install:
10.6.0.5
Where did you install ownCloud from:
Owncloud web site
Signing status (ownCloud 9.0 and above):
No errors have been found.

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

The content of config/config.php:

Log in to the web-UI with an administrator account and click on
'admin' -> 'Generate Config Report' -> 'Download ownCloud config report'
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.

or 

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

*ATTENTION:* Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove *all* host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.

gist.github.com

https://gist.github.com/zubanst/93ad95ead0d90f13efb0cd97cfd52c75

config_report_20190810.json

{
    "basic": {
        "license key": "***REMOVED SENSITIVE VALUE***",
        "date": "Sat, 10 Aug 2019 08:35:26 +0000",
        "ownCloud version": "10.2.1.4",
        "ownCloud version string": "10.2.1",
        "ownCloud edition": "Community",
        "server OS": "Linux",
        "server OS version": "Linux blog 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64",
        "server SAPI": "apache2handler",

This file has been truncated. show original

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.

Enabled:

activity:
- Version: 2.6.0
- Path: /var/www/html/owncloud/apps-external/activity
afterlogic:
- Version: 1.2.3
- Path: /var/www/html/owncloud/apps-external/afterlogic
announcementcenter:
- Version: 1.2.2
- Path: /var/www/html/owncloud/apps-external/announcementcenter
bookmarks:
- Version: 0.10.6
- Path: /var/www/html/owncloud/apps-external/bookmarks
brute_force_protection:
- Version: 1.1.0
- Path: /var/www/html/owncloud/apps-external/brute_force_protection
calendar:
- Version: 1.6.4
- Path: /var/www/html/owncloud/apps-external/calendar
carnet:
- Version: 0.19.1
- Path: /var/www/html/owncloud/apps-external/carnet
checksum:
- Version: 0.3.5
- Path: /var/www/html/owncloud/apps-external/checksum
comments:
- Version: 0.3.0
- Path: /var/www/html/owncloud/apps/comments
configreport:
- Version: 0.2.0
- Path: /var/www/html/owncloud/apps/configreport
contacts:
- Version: 1.5.5
- Path: /var/www/html/owncloud/apps-external/contacts
customgroups:
- Version: 0.6.2
- Path: /var/www/html/owncloud/apps-external/customgroups
dav:
- Version: 0.6.0
- Path: /var/www/html/owncloud/apps/dav
drawio:
- Version: 0.0.9
- Path: /var/www/html/owncloud/apps-external/drawio
external:
- Version: 1.4.0
- Path: /var/www/html/owncloud/apps/external
extract:
- Version: 1.2.4
- Path: /var/www/html/owncloud/apps-external/extract
federatedfilesharing:
- Version: 0.5.0
- Path: /var/www/html/owncloud/apps/federatedfilesharing
federation:
- Version: 0.1.0
- Path: /var/www/html/owncloud/apps/federation
files:
- Version: 1.5.2
- Path: /var/www/html/owncloud/apps/files
files_antivirus:
- Version: 1.0.0
- Path: /var/www/html/owncloud/apps-external/files_antivirus
files_clipboard:
- Version: 1.0.3
- Path: /var/www/html/owncloud/apps-external/files_clipboard
files_external:
- Version: 0.7.1
- Path: /var/www/html/owncloud/apps/files_external
files_external_dropbox:
- Version: 1.2.0
- Path: /var/www/html/owncloud/apps-external/files_external_dropbox
files_external_ftp:
- Version: 0.2.1
- Path: /var/www/html/owncloud/apps-external/files_external_ftp
files_external_s3:
- Version: 1.0.0
- Path: /var/www/html/owncloud/apps-external/files_external_s3
files_mediaviewer:
- Version: 1.0.4
- Path: /var/www/html/owncloud/apps/files_mediaviewer
files_pdfviewer:
- Version: 1.0.0
- Path: /var/www/html/owncloud/apps-external/files_pdfviewer
files_primary_s3:
- Version: 1.1.2
- Path: /var/www/html/owncloud/apps-external/files_primary_s3
files_sharing:
- Version: 0.14.0
- Path: /var/www/html/owncloud/apps/files_sharing
files_texteditor:
- Version: 2.3.1
- Path: /var/www/html/owncloud/apps-external/files_texteditor
files_trashbin:
- Version: 0.9.1
- Path: /var/www/html/owncloud/apps/files_trashbin
files_versions:
- Version: 1.3.0
- Path: /var/www/html/owncloud/apps/files_versions
files_videoplayer:
- Version: 0.10.1
- Path: /var/www/html/owncloud/apps/files_videoplayer
firstrunwizard:
- Version: 1.2.0
- Path: /var/www/html/owncloud/apps/firstrunwizard
gallery:
- Version: 16.1.1
- Path: /var/www/html/owncloud/apps-external/gallery
guests:
- Version: 0.9.3
- Path: /var/www/html/owncloud/apps-external/guests
impersonate:
- Version: 0.5.0
- Path: /var/www/html/owncloud/apps-external/impersonate
market:
- Version: 0.6.1
- Path: /var/www/html/owncloud/apps-external/market
music:
- Version: 1.3.2
- Path: /var/www/html/owncloud/apps-external/music
notes:
- Version: 2.0.6
- Path: /var/www/html/owncloud/apps-external/notes
notifications:
- Version: 0.5.2
- Path: /var/www/html/owncloud/apps/notifications
oauth2:
- Version: 0.5.0
- Path: /var/www/html/owncloud/apps-external/oauth2
onlyoffice:
- Version: 7.1.1
- Path: /var/www/html/owncloud/apps-external/onlyoffice
password_policy:
- Version: 2.1.2
- Path: /var/www/html/owncloud/apps-external/password_policy
provisioning_api:
- Version: 0.5.0
- Path: /var/www/html/owncloud/apps/provisioning_api
systemtags:
- Version: 0.3.0
- Path: /var/www/html/owncloud/apps/systemtags
tasks:
- Version: 0.9.7
- Path: /var/www/html/owncloud/apps-external/tasks
templateeditor:
- Version: 0.4.0
- Path: /var/www/html/owncloud/apps-external/templateeditor
twofactor_totp:
- Version: 0.7.2
- Path: /var/www/html/owncloud/apps-external/twofactor_totp
updatenotification:
- Version: 0.2.1
- Path: /var/www/html/owncloud/apps/updatenotification
web:
- Version: 3.4.1
- Path: /var/www/html/owncloud/apps-external/web
  Disabled:
encryption:
- Path: /var/www/html/owncloud/apps/encryption
user_external:
- Path: /var/www/html/owncloud/apps/user_external

Are you using external storage, if yes which one: local/smb/sftp/…

Are you using encryption: yes/no
no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…
no

LDAP configuration (delete this part if not used)

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your ownCloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser:
Firefox latest, Chrome, latest
Operating system:
Windows, Ubuntu

Logs

Web server error log

Insert your webserver log here

ownCloud log (data/owncloud.log)

Insert your ownCloud log here

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log 
c) ...

dmitry · September 18, 2021, 11:27pm

Hello,

do you have something in your log files that could help us find the cause if this issue?

something is not right with your ownCloud, if you are on 10.7 then why does it state that you are on 10.2 in your config report. Did you maybe install multiple ownCloud installations on the same server?

In addition, you should know that php 7.2 will be no longer supported in future versions of ownCloud server:

https://doc.owncloud.com/server/10.7/admin_manual/release_notes.html#php-7-2-deprecation-note

You should consider upgrading.

zubanst · September 20, 2021, 6:47pm

There is nothing in the logs and this occurred all a sudden, like yesterday it worked ant today it doesn’t work anymore, without any changes whatsoever server side or the app side. Moreover, I restored a one week old backup of the server where I am sure everything worked and it is the same. Something changed in the whole infrastructure in the way keys are verified. I have the latest versions of OC and the 2FA app, as they are published on the production channel. Unless I get some intelligence about, I need to report it as a bug and a regression. Is there anybody with those versions of the server and the app having them working?
About the config report, sorry, I mixed it up with an old one. The good one is here : ownCloud

zubanst · September 21, 2021, 2:18pm

Well, I wanted to investigate deeper, see the QR code content generated for registration with FreeOTP in order to give the community more details about the issue, and all a sudden, checking again the registration, the generated key worked. So the same way the code didn’t work overnight, it worked again. Once more, I didn’t change anything on the OC server configuration or in the app. The proof that there is a instability in the app generating the codes or the whole infrastructure. Anyway, now that it works, I can’t do more to investigate but the overnight behavior is worrying for a production system. Fortunately other users didn’t call complaining they cannot authenticate with their account. I’ll keep monitoring the behavior, that’s all I can do for now. Case is suspended.

system · December 20, 2021, 2:19pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.