From 6e2661dcec38a148cee3c28272b7272b259b4005 Mon Sep 17 00:00:00 2001 From: dbtick Date: Mon, 8 Aug 2022 23:26:24 +0100 Subject: [PATCH 1/2] nocsrf fix for PHP7.4+ Updated index braces from {} to [] to match PHP7.4+ syntax. --- lib/nocsrf.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/nocsrf.php b/lib/nocsrf.php index 5f23398..621ad98 100644 --- a/lib/nocsrf.php +++ b/lib/nocsrf.php @@ -110,7 +110,7 @@ protected static function randomString( $length ) $string = ''; for ( $i = 0; $i < $length; ++$i ) - $string .= $seed{intval( mt_rand( 0.0, $max ) )}; + $string .= $seed[intval( mt_rand( 0.0, $max ) )]; return $string; } From 5fa67774bfb7b83d427ad2ab1c2bc5974f1b23fd Mon Sep 17 00:00:00 2001 From: dbtick Date: Mon, 8 Aug 2022 23:27:16 +0100 Subject: [PATCH 2/2] Added configurable clock discrepancy Google authenticator allows for clock drift by setting a discrepancy factor (+- token count). This is part of the API, and is made available through a configurable CLOCK_DISCREPANCY parameter now in config.php. --- config.php | 12 ++++++++++++ login/login.php | 2 +- readme.md | 3 +++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/config.php b/config.php index c856b05..9f0570e 100644 --- a/config.php +++ b/config.php @@ -63,4 +63,16 @@ // like infinite redirects or failed authentications, you can log authentication // activity to the file /nginx/debug.log for your review. define('TFA_NGINX_DEBUG', false); + +// Set this to the "clock skew handing factor" (googleAuthenticator discrepancy) +// This is the number of tokens before/after flexibility in time synchronisation allowed, +// e.g. a value of 2 will check tokens "now -2", "now -1", now, "now+1" and "now+2". +// use "0" for strict time synchronisation, 1 for +- 30 seconds etc.... +// Tradeoff - 0 expects good clock synchronisation, but is most secure +// 1 allows some flexibility in clock synchronisation at the risk of lower security +// 2 .... etc + +define('CLOCK_DISCREPANCY',1); + + ?> diff --git a/login/login.php b/login/login.php index 5c0b439..b546e08 100644 --- a/login/login.php +++ b/login/login.php @@ -50,7 +50,7 @@ $gauth = new GoogleAuthenticator(); // Checking password hash and token - if (($result['PASSWORDHASH'] !== hash("sha256",$password)) || !($gauth->verifyCode($result['GAUTHSECRET'],$token))) { + if (($result['PASSWORDHASH'] !== hash("sha256",$password)) || !($gauth->verifyCode($result['GAUTHSECRET'],$token,CLOCK_DISCREPANCY))) { $error = "[ERROR] Authentication failed"; } else { $isAdmin = $dbManager->getAdminStatus($username); diff --git a/readme.md b/readme.md index 13132f3..683031f 100644 --- a/readme.md +++ b/readme.md @@ -107,6 +107,9 @@ Edit the **/twofactorauth/config.php** file to match your needs. Most settings c - **AUTH\_SUCCEED\_REDIRECT\_URL** : The login page supports a URL parameter "from" (*ex: "http://www.example.com/twofactorauth/login/login.php?from=/myapp"*). Upon successful login, the login page will redirect the user to the path specified in the "from" parameter (*NB: it can only be a path local to the FQDN, no cross-site*). However, if the "from" parameter is not present in the URL, the login page will redirect the user to the URL specified in AUTH\_SUCCEED\_REDIRECT\_URL +- **CLOCK\_DISCREPANCY** : Set this to the "clock skew handing factor" (googleAuthenticator discrepancy). This is the number of tokens before/after flexibility in time synchronisation allowed, e.g. a value of 2 will check tokens "now -2", "now -1", now, "now+1" and "now+2". use "0" for strict time synchronisation, 1 for +- 30 seconds etc.... Tradeoff - 0 expects good clock synchronisation, but is most secure, 1 allows some flexibility in clock synchronisation at the risk of lower security, 2 .... etc + + Security aspects -------------- The user database must be protected against remote access. To achieve this, you can either :