-
Notifications
You must be signed in to change notification settings - Fork 274
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add MFA/TOTP support #753
Add MFA/TOTP support #753
Conversation
Co-Authored-By: Fredrik Bostroem <fredrik.bostroem@verdigado.com> Co-Authored-By: Sven Seeberg <sven.seeberg@verdigado.com>
Thank you for taking the time to submit this! I've left a few comments on the PR for things which stood out immediately. I've not yet tried running / using the code. |
Thank's for the comments! Sqlite is next on the list but I wanted to have this available for testing first. |
try running 'composer psalm' on the code - it's currently highlighting about 26/27 issues ... |
…ic/users/login-mfa.php
…lude from linting(needs external includes)
Later than I expected (vacation), I finally got the stuff psalm complained about fixed. |
Thank you - I'll try and use the code soon ... I'm happy to merge it, but would like other people to express support/check it if possible. |
I just tested the compatibility of the TOTP secret with https://github.com/alexandregz/twofactor_gauthenticator and it seems that it does not work. I will start on a PR there as well. To get started, I already created an issue: alexandregz/twofactor_gauthenticator#183 |
To follow |
@Neustradamus if you have a chance to test it I would love some bug reports or interface complaints ;-) |
What is left before this could be merged in? I am happy to help test.
I will test it as soon as time permits (hopefully very soon). This would be a very useful feature to have. |
Otherwise, from a PHP point of view, it looks good to me.... |
This is exactly the kind of glaring omission I was hoping for ;-)
Hm, yes, it is kind of cryptic isn't it? "Add application-specific password" maybe. Amends forthcoming soon. |
Added "TOTP code (empty to disable)" possibility. |
Thank you! |
@drunken-sod: Good job! Merged commits: |
@drunken-sod and others: Maybe you can look this draft-ietf-kitten-scram-2fa? SCRAM is very important for security. |
Thanks @DavidGoodwin 🎉
I think that mostly depends on the implementation within the used libraries. But at some point we should have a look. Can you create a new issue for that? |
@svenseeberg there are a few changes I need to make to the code in master - as far as I can see ....
Ideally the mailbox edit screen would show something listing totp status / app passwords / exemptions etc? |
i'm also not convinced the logic is correct around who can add/remove totp codes/exemptions ... i suspect anyone can delete anyone else's atm. |
Yes, that would be problematic. |
Yes, this would be good
Yes they do, don't they? I'm blushing.
If they receive mail it might be especially important for admins for separate their passwords? Saw no reason not to include it as it was no extra effort.
Yes, nice glaring omission, thanks ;-)
I'll come up with something.
That would be embarrassing. I'll get to it reasonably soon but probably not this week. |
Hey @drunken-sod - See also https://github.com/postfixadmin/postfixadmin/tree/topt-app-passwords-fixes - I have sort of started on trying to resolve some of the above issues (but it's not complete yet). |
@svenseeberg: Can you reopen the ticket? |
When will this get released? |
#805 - the application passwords need some work still. From memory - the dovecot SQL query which checks for app passwords isn't valid (See #802) and there isn't any way for admins to add them on a user's behalf? https://github.com/postfixadmin/postfixadmin/blob/8451a91fb899f04be67591319f417e96c2ed1ae4/TODO |
It took some time, but now (mostly) @drunken-sod and I have finished a first draft of a MFA implementation with TOTP ( #184 ). I'd expect that this PR is far from being ready to merge, but provides a base for discussing all details. We tried to stick to existing logic. However, especially the handling of the 2nd step of the login process seems a bit "hacky". To improve the it, a refactoring of the session handling would be required.
To provide an overview of what this PR does, I'll copy the addition from the security documentation:
Overview of added features
Configuration steps
These features are DEACTIVATED by default because they need to be supported by your MTA/MDA configuration to become effective. Please read carefully through the documentation before activating these features.
To activate those features, run through the following procedure:
$CONF['totp'] = 'YES';
$CONF['app_passwords'] = 'YES';
And sorry, this is a bit of a monster PR.
Oh, and one large caveat: the sync with Roundcubemail is not yet tested. I'd expect that we first need to update https://github.com/alexandregz/twofactor_gauthenticator to support the same TOTP mechanisms.