TOTP doesn't work anymore on OC 10

Steps to reproduce

  1. TOTP 0.7.2 activated on OC 10.7.0.4 and used for years. All a sudden, I got authentication errors and could not log in to my admin account
  2. I had to log in on console on the server and disable the app for my user ID to go through
  3. Reactivated the app from the web console to get a new QR code to register with FreeOTP, or Google Authenticator.

Expected behaviour

Code verified and and 2FA registred with the app

Actual behaviour

I keep getting ‘Code not verified’, so I cannot use anymore the app

Server configuration

Operating system:
Ubuntu 18.04 LTS
Web server:
Apache 2.4.29
Database:
Mysql 5.7.34
PHP version:
PHP 7.2.24
ownCloud version: (see ownCloud admin page)
10.7.0.4
Updated from an older ownCloud or fresh install:
10.6.0.5
Where did you install ownCloud from:
Owncloud web site
Signing status (ownCloud 9.0 and above):
No errors have been found.

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

The content of config/config.php:

Log in to the web-UI with an administrator account and click on
'admin' -> 'Generate Config Report' -> 'Download ownCloud config report'
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.

or 

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

*ATTENTION:* Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove *all* host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.

Enabled:

  • activity:
    • Version: 2.6.0
    • Path: /var/www/html/owncloud/apps-external/activity
  • afterlogic:
    • Version: 1.2.3
    • Path: /var/www/html/owncloud/apps-external/afterlogic
  • announcementcenter:
    • Version: 1.2.2
    • Path: /var/www/html/owncloud/apps-external/announcementcenter
  • bookmarks:
    • Version: 0.10.6
    • Path: /var/www/html/owncloud/apps-external/bookmarks
  • brute_force_protection:
    • Version: 1.1.0
    • Path: /var/www/html/owncloud/apps-external/brute_force_protection
  • calendar:
    • Version: 1.6.4
    • Path: /var/www/html/owncloud/apps-external/calendar
  • carnet:
    • Version: 0.19.1
    • Path: /var/www/html/owncloud/apps-external/carnet
  • checksum:
    • Version: 0.3.5
    • Path: /var/www/html/owncloud/apps-external/checksum
  • comments:
    • Version: 0.3.0
    • Path: /var/www/html/owncloud/apps/comments
  • configreport:
    • Version: 0.2.0
    • Path: /var/www/html/owncloud/apps/configreport
  • contacts:
    • Version: 1.5.5
    • Path: /var/www/html/owncloud/apps-external/contacts
  • customgroups:
    • Version: 0.6.2
    • Path: /var/www/html/owncloud/apps-external/customgroups
  • dav:
    • Version: 0.6.0
    • Path: /var/www/html/owncloud/apps/dav
  • drawio:
    • Version: 0.0.9
    • Path: /var/www/html/owncloud/apps-external/drawio
  • external:
    • Version: 1.4.0
    • Path: /var/www/html/owncloud/apps/external
  • extract:
    • Version: 1.2.4
    • Path: /var/www/html/owncloud/apps-external/extract
  • federatedfilesharing:
    • Version: 0.5.0
    • Path: /var/www/html/owncloud/apps/federatedfilesharing
  • federation:
    • Version: 0.1.0
    • Path: /var/www/html/owncloud/apps/federation
  • files:
    • Version: 1.5.2
    • Path: /var/www/html/owncloud/apps/files
  • files_antivirus:
    • Version: 1.0.0
    • Path: /var/www/html/owncloud/apps-external/files_antivirus
  • files_clipboard:
    • Version: 1.0.3
    • Path: /var/www/html/owncloud/apps-external/files_clipboard
  • files_external:
    • Version: 0.7.1
    • Path: /var/www/html/owncloud/apps/files_external
  • files_external_dropbox:
    • Version: 1.2.0
    • Path: /var/www/html/owncloud/apps-external/files_external_dropbox
  • files_external_ftp:
    • Version: 0.2.1
    • Path: /var/www/html/owncloud/apps-external/files_external_ftp
  • files_external_s3:
    • Version: 1.0.0
    • Path: /var/www/html/owncloud/apps-external/files_external_s3
  • files_mediaviewer:
    • Version: 1.0.4
    • Path: /var/www/html/owncloud/apps/files_mediaviewer
  • files_pdfviewer:
    • Version: 1.0.0
    • Path: /var/www/html/owncloud/apps-external/files_pdfviewer
  • files_primary_s3:
    • Version: 1.1.2
    • Path: /var/www/html/owncloud/apps-external/files_primary_s3
  • files_sharing:
    • Version: 0.14.0
    • Path: /var/www/html/owncloud/apps/files_sharing
  • files_texteditor:
    • Version: 2.3.1
    • Path: /var/www/html/owncloud/apps-external/files_texteditor
  • files_trashbin:
    • Version: 0.9.1
    • Path: /var/www/html/owncloud/apps/files_trashbin
  • files_versions:
    • Version: 1.3.0
    • Path: /var/www/html/owncloud/apps/files_versions
  • files_videoplayer:
    • Version: 0.10.1
    • Path: /var/www/html/owncloud/apps/files_videoplayer
  • firstrunwizard:
    • Version: 1.2.0
    • Path: /var/www/html/owncloud/apps/firstrunwizard
  • gallery:
    • Version: 16.1.1
    • Path: /var/www/html/owncloud/apps-external/gallery
  • guests:
    • Version: 0.9.3
    • Path: /var/www/html/owncloud/apps-external/guests
  • impersonate:
    • Version: 0.5.0
    • Path: /var/www/html/owncloud/apps-external/impersonate
  • market:
    • Version: 0.6.1
    • Path: /var/www/html/owncloud/apps-external/market
  • music:
    • Version: 1.3.2
    • Path: /var/www/html/owncloud/apps-external/music
  • notes:
    • Version: 2.0.6
    • Path: /var/www/html/owncloud/apps-external/notes
  • notifications:
    • Version: 0.5.2
    • Path: /var/www/html/owncloud/apps/notifications
  • oauth2:
    • Version: 0.5.0
    • Path: /var/www/html/owncloud/apps-external/oauth2
  • onlyoffice:
    • Version: 7.1.1
    • Path: /var/www/html/owncloud/apps-external/onlyoffice
  • password_policy:
    • Version: 2.1.2
    • Path: /var/www/html/owncloud/apps-external/password_policy
  • provisioning_api:
    • Version: 0.5.0
    • Path: /var/www/html/owncloud/apps/provisioning_api
  • systemtags:
    • Version: 0.3.0
    • Path: /var/www/html/owncloud/apps/systemtags
  • tasks:
    • Version: 0.9.7
    • Path: /var/www/html/owncloud/apps-external/tasks
  • templateeditor:
    • Version: 0.4.0
    • Path: /var/www/html/owncloud/apps-external/templateeditor
  • twofactor_totp:
    • Version: 0.7.2
    • Path: /var/www/html/owncloud/apps-external/twofactor_totp
  • updatenotification:
    • Version: 0.2.1
    • Path: /var/www/html/owncloud/apps/updatenotification
  • web:
    • Version: 3.4.1
    • Path: /var/www/html/owncloud/apps-external/web
      Disabled:
  • encryption:
    • Path: /var/www/html/owncloud/apps/encryption
  • user_external:
    • Path: /var/www/html/owncloud/apps/user_external

Are you using external storage, if yes which one: local/smb/sftp/…

Are you using encryption: yes/no
no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…
no

LDAP configuration (delete this part if not used)

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your ownCloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser:
Firefox latest, Chrome, latest
Operating system:
Windows, Ubuntu

Logs

Web server error log

Insert your webserver log here

ownCloud log (data/owncloud.log)

Insert your ownCloud log here

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log 
c) ...

Hello,

do you have something in your log files that could help us find the cause if this issue?

something is not right with your ownCloud, if you are on 10.7 then why does it state that you are on 10.2 in your config report. Did you maybe install multiple ownCloud installations on the same server?

In addition, you should know that php 7.2 will be no longer supported in future versions of ownCloud server:

https://doc.owncloud.com/server/10.7/admin_manual/release_notes.html#php-7-2-deprecation-note

You should consider upgrading.

There is nothing in the logs and this occurred all a sudden, like yesterday it worked ant today it doesn’t work anymore, without any changes whatsoever server side or the app side. Moreover, I restored a one week old backup of the server where I am sure everything worked and it is the same. Something changed in the whole infrastructure in the way keys are verified. I have the latest versions of OC and the 2FA app, as they are published on the production channel. Unless I get some intelligence about, I need to report it as a bug and a regression. Is there anybody with those versions of the server and the app having them working?
About the config report, sorry, I mixed it up with an old one. The good one is here : ownCloud

Well, I wanted to investigate deeper, see the QR code content generated for registration with FreeOTP in order to give the community more details about the issue, and all a sudden, checking again the registration, the generated key worked. So the same way the code didn’t work overnight, it worked again. Once more, I didn’t change anything on the OC server configuration or in the app. The proof that there is a instability in the app generating the codes or the whole infrastructure. Anyway, now that it works, I can’t do more to investigate but the overnight behavior is worrying for a production system. Fortunately other users didn’t call complaining they cannot authenticate with their account. I’ll keep monitoring the behavior, that’s all I can do for now. Case is suspended.

2 Likes