IPv6 für Google2FA - Zwei-Faktor Authentifizierung für Zarafa/Kopano WebApp | Zarafa/Kopano WebApp Plugin allows the use of Google two-factor authentication

Configuration

Admin configuration is possible with the file config.php . See comments in this file for more information.

Configuration for a company with central administration

Example:

  • Use MySQL for a higher security and central administration.
/**
 * Select database ('settings', 'mysql')
 * Be careful if you change it later. You have to migrate data or the user has to configure again.
 */
define('PLUGIN_GOOGLE2FA_DATABASE', 'mysql');
 
/**
 * DB connection data in case of using database like mysql
 * If PLUGIN_GOOGLE2FA_DATABASE_CREATETABLES is true, tables will be automatically created if not exist (db-user needs rights)
 */
define('PLUGIN_GOOGLE2FA_DATABASE_SERVERNAME', 'localhost');
define('PLUGIN_GOOGLE2FA_DATABASE_DBNAME', 'google2fa');
define('PLUGIN_GOOGLE2FA_DATABASE_USERNAME', 'google2fa');
define('PLUGIN_GOOGLE2FA_DATABASE_PASSWORD', 'password');
define('PLUGIN_GOOGLE2FA_DATABASE_CREATETABLES', true);
  • Use MCrypt to encode the data in the database and change the mcrypt key and the algorithm if possible to MCRYPT_RIJNDAEL_128.
/**
 * The cryption type ('auto', 'no', 'base64', 'mcrypt')
 * Has affect for new plugin users or in case of settings-database if a user resets plugin in settings.
 * To use mcrypt you need the php extension (php5-mcrypt).
 */
define('PLUGIN_GOOGLE2FA_CRYPT', 'auto');
 
/**
 * MCrypt configuration
 * Please change the mcrypt key!
 * Be careful if you change it later - in case of settings-database every plugin user has to reset the plugin in settings FIRST!
 * You can see the supported algorithms and modes with phpinfo().
 */
define('PLUGIN_GOOGLE2FA_MCRYPTKEY', 'GR6XTMQ45209zTRy8TYZ2F2PJ7pLAxM6mpYEaVyXEQ1igr2aOAEonLUV9S6x3OVZExEP9fJomdivPZY9z5ewcrCsN79KUW49');
define('PLUGIN_GOOGLE2FA_MCRYPTALGORITHM', MCRYPT_RIJNDAEL_128); // better (only libmcrypt > 2.4.x): MCRYPT_RIJNDAEL_128
define('PLUGIN_GOOGLE2FA_MCRYPTMODE', MCRYPT_MODE_ECB);
define('PLUGIN_GOOGLE2FA_MCRYPTRAND', strncasecmp(PHP_OS, 'WIN', 3)==0 ? MCRYPT_RAND : MCRYPT_DEV_URANDOM);
  • The plugin and the 2FA should be always enabled. (Or you set PLUGIN_GOOGLE2FA_ACTIVATE and PLUGIN_GOOGLE2FA_ALWAYS_ACTIVATED to false and activate the user in the database.)
/**
 * Enable/Disable plugin
 * Default for new users, this doesn't mean the activation of two-factor authentication!
 */
define('PLUGIN_GOOGLE2FA_ENABLE', true);
 
/**
 * Enable plugin when plugin is loading, the user can't disable the plugin.
 * But if the activate button is enabled the user can deactivate the two-factor authentication!
 */
define('PLUGIN_GOOGLE2FA_ALWAYS_ENABLED', true);
 
/**
 * Activate/Deactivate 2FA
 * Default for new users.
 */
define('PLUGIN_GOOGLE2FA_ACTIVATE', true);
 
/**
 * Activate 2FA when plugin is loading.
 * If PLUGIN_GOOGLE2FA_ALWAYS_ACTIVATED is true, PLUGIN_GOOGLE2FA_ENBUTACTIV should be false
 */
define('PLUGIN_GOOGLE2FA_ALWAYS_ACTIVATED', true);
  • The buttons for activation, timeless codes and plugin reset should be disabled. (Or you allow the use of timeless codes.)
/**
 * Enable/Disable button activate/deactivate in settings.
 * For example for admin administration in mysql, ldap, ...
 */
define('PLUGIN_GOOGLE2FA_ENBUTACTIV', false);
 
/**
 * Enable/Disable button timeless codes in settings.
 * For example for admin administration in mysql, ldap, ...
 */
define('PLUGIN_GOOGLE2FA_ENBUTTCODES', false);
 
/**
 * Enable/Disable button reset configuration in settings.
 * For example for admin administration in mysql, ldap, ...
 */
define('PLUGIN_GOOGLE2FA_ENBUTTRESET', false);
  • Add an IP whitelist that the user can configure the smartphone in the WebApp 2FA settings, if he/she is in the intranet. (Or you deactivate the button for configuration and create the secret key without the plugin.)
/**
 * IP Whitelist with comma seperated IP/CIDR netmasks for login without 2FA
 * f.e. '192.168.172.0/24,127.0.0.1' or gethostbyname('uri')
 */
define('PLUGIN_GOOGLE2FA_WHITELIST', 'ipwhitelist');
  • It’s more secure to generate the QR code on your own server.
/**
 * By default, the QR code is generated by Google. Here you can activate the generation on your server with PHPQrCode.
 */
define('PLUGIN_GOOGLE2FA_GENERATEQR', true);

MCrypt configuration

  • The php extension “php5-mcrypt” has to be installed
  • Don’t forget to change the mcrypt key (PLUGIN_GOOGLE2FA_MCRYPTKEY) in config.php
  • To change the encryption of an existing user configuration you have to reset the plugin for this user in the WebApp settings
/**
 * MCrypt configuration
 * Please change the mcrypt key!
 * Be careful if you change it later - in case of settings-database every plugin user has to reset the plugin in settings FIRST!
 * You can see the supported algorithms and modes with phpinfo().
 */
define('PLUGIN_GOOGLE2FA_MCRYPTKEY', 'hereChangeKey');
define('PLUGIN_GOOGLE2FA_MCRYPTALGORITHM', MCRYPT_DES); // better (only libmcrypt > 2.4.x): MCRYPT_RIJNDAEL_128
define('PLUGIN_GOOGLE2FA_MCRYPTMODE', MCRYPT_MODE_ECB);
define('PLUGIN_GOOGLE2FA_MCRYPTRAND', strncasecmp(PHP_OS, 'WIN', 3)==0 ? MCRYPT_RAND : MCRYPT_DEV_URANDOM);

4 thoughts on “Configuration”

  1. Hi If i want to create the qr image on my server i get an empty box (image can not be generated)

    Wat must i install to let this work and create the qr image on my own server?

    1. Chris wrote: Allready find it. Installed PHP-bacon-qr-code. Now it is working!

      Answer:
      Hi Chris,

      that’s strange. The PHP QR code is part of the plugin (see google2fa/php/external/phpqrcode). This code needs two requirements: PHP5 and PHP GD2 extension with JPEG and PNG support (see google2fa/php/external/phpqrcode/INSTALL).
      Often this requirements are given. You see the installed extensions with the PHP method “phpinfo();”. Perhaps the installation of “PHP-bacon-qr-code” has activated the GD2 extension.

      Have fun with the plugin!

      Norman

  2. Hi Norman,

    i enabled the timeless codes (one time use)

    However they are not working. What could be the problem?

Comments are closed.