Admin configuration is possible with the file config.php . See comments in this file for more information.
Configuration for a company with central administration
Example:
- Use MySQL for a higher security and central administration.
/**
* Select database ('settings', 'mysql')
* Be careful if you change it later. You have to migrate data or the user has to configure again.
*/
define('PLUGIN_GOOGLE2FA_DATABASE', 'mysql');
/**
* DB connection data in case of using database like mysql
* If PLUGIN_GOOGLE2FA_DATABASE_CREATETABLES is true, tables will be automatically created if not exist (db-user needs rights)
*/
define('PLUGIN_GOOGLE2FA_DATABASE_SERVERNAME', 'localhost');
define('PLUGIN_GOOGLE2FA_DATABASE_DBNAME', 'google2fa');
define('PLUGIN_GOOGLE2FA_DATABASE_USERNAME', 'google2fa');
define('PLUGIN_GOOGLE2FA_DATABASE_PASSWORD', 'password');
define('PLUGIN_GOOGLE2FA_DATABASE_CREATETABLES', true); |
/**
* Select database ('settings', 'mysql')
* Be careful if you change it later. You have to migrate data or the user has to configure again.
*/
define('PLUGIN_GOOGLE2FA_DATABASE', 'mysql');
/**
* DB connection data in case of using database like mysql
* If PLUGIN_GOOGLE2FA_DATABASE_CREATETABLES is true, tables will be automatically created if not exist (db-user needs rights)
*/
define('PLUGIN_GOOGLE2FA_DATABASE_SERVERNAME', 'localhost');
define('PLUGIN_GOOGLE2FA_DATABASE_DBNAME', 'google2fa');
define('PLUGIN_GOOGLE2FA_DATABASE_USERNAME', 'google2fa');
define('PLUGIN_GOOGLE2FA_DATABASE_PASSWORD', 'password');
define('PLUGIN_GOOGLE2FA_DATABASE_CREATETABLES', true);
- Use MCrypt to encode the data in the database and change the mcrypt key and the algorithm if possible to MCRYPT_RIJNDAEL_128.
/**
* The cryption type ('auto', 'no', 'base64', 'mcrypt')
* Has affect for new plugin users or in case of settings-database if a user resets plugin in settings.
* To use mcrypt you need the php extension (php5-mcrypt).
*/
define('PLUGIN_GOOGLE2FA_CRYPT', 'auto');
/**
* MCrypt configuration
* Please change the mcrypt key!
* Be careful if you change it later - in case of settings-database every plugin user has to reset the plugin in settings FIRST!
* You can see the supported algorithms and modes with phpinfo().
*/
define('PLUGIN_GOOGLE2FA_MCRYPTKEY', 'GR6XTMQ45209zTRy8TYZ2F2PJ7pLAxM6mpYEaVyXEQ1igr2aOAEonLUV9S6x3OVZExEP9fJomdivPZY9z5ewcrCsN79KUW49');
define('PLUGIN_GOOGLE2FA_MCRYPTALGORITHM', MCRYPT_RIJNDAEL_128); // better (only libmcrypt > 2.4.x): MCRYPT_RIJNDAEL_128
define('PLUGIN_GOOGLE2FA_MCRYPTMODE', MCRYPT_MODE_ECB);
define('PLUGIN_GOOGLE2FA_MCRYPTRAND', strncasecmp(PHP_OS, 'WIN', 3)==0 ? MCRYPT_RAND : MCRYPT_DEV_URANDOM); |
/**
* The cryption type ('auto', 'no', 'base64', 'mcrypt')
* Has affect for new plugin users or in case of settings-database if a user resets plugin in settings.
* To use mcrypt you need the php extension (php5-mcrypt).
*/
define('PLUGIN_GOOGLE2FA_CRYPT', 'auto');
/**
* MCrypt configuration
* Please change the mcrypt key!
* Be careful if you change it later - in case of settings-database every plugin user has to reset the plugin in settings FIRST!
* You can see the supported algorithms and modes with phpinfo().
*/
define('PLUGIN_GOOGLE2FA_MCRYPTKEY', 'GR6XTMQ45209zTRy8TYZ2F2PJ7pLAxM6mpYEaVyXEQ1igr2aOAEonLUV9S6x3OVZExEP9fJomdivPZY9z5ewcrCsN79KUW49');
define('PLUGIN_GOOGLE2FA_MCRYPTALGORITHM', MCRYPT_RIJNDAEL_128); // better (only libmcrypt > 2.4.x): MCRYPT_RIJNDAEL_128
define('PLUGIN_GOOGLE2FA_MCRYPTMODE', MCRYPT_MODE_ECB);
define('PLUGIN_GOOGLE2FA_MCRYPTRAND', strncasecmp(PHP_OS, 'WIN', 3)==0 ? MCRYPT_RAND : MCRYPT_DEV_URANDOM);
- The plugin and the 2FA should be always enabled. (Or you set PLUGIN_GOOGLE2FA_ACTIVATE and PLUGIN_GOOGLE2FA_ALWAYS_ACTIVATED to false and activate the user in the database.)
/**
* Enable/Disable plugin
* Default for new users, this doesn't mean the activation of two-factor authentication!
*/
define('PLUGIN_GOOGLE2FA_ENABLE', true);
/**
* Enable plugin when plugin is loading, the user can't disable the plugin.
* But if the activate button is enabled the user can deactivate the two-factor authentication!
*/
define('PLUGIN_GOOGLE2FA_ALWAYS_ENABLED', true);
/**
* Activate/Deactivate 2FA
* Default for new users.
*/
define('PLUGIN_GOOGLE2FA_ACTIVATE', true);
/**
* Activate 2FA when plugin is loading.
* If PLUGIN_GOOGLE2FA_ALWAYS_ACTIVATED is true, PLUGIN_GOOGLE2FA_ENBUTACTIV should be false
*/
define('PLUGIN_GOOGLE2FA_ALWAYS_ACTIVATED', true); |
/**
* Enable/Disable plugin
* Default for new users, this doesn't mean the activation of two-factor authentication!
*/
define('PLUGIN_GOOGLE2FA_ENABLE', true);
/**
* Enable plugin when plugin is loading, the user can't disable the plugin.
* But if the activate button is enabled the user can deactivate the two-factor authentication!
*/
define('PLUGIN_GOOGLE2FA_ALWAYS_ENABLED', true);
/**
* Activate/Deactivate 2FA
* Default for new users.
*/
define('PLUGIN_GOOGLE2FA_ACTIVATE', true);
/**
* Activate 2FA when plugin is loading.
* If PLUGIN_GOOGLE2FA_ALWAYS_ACTIVATED is true, PLUGIN_GOOGLE2FA_ENBUTACTIV should be false
*/
define('PLUGIN_GOOGLE2FA_ALWAYS_ACTIVATED', true);
- The buttons for activation, timeless codes and plugin reset should be disabled. (Or you allow the use of timeless codes.)
/**
* Enable/Disable button activate/deactivate in settings.
* For example for admin administration in mysql, ldap, ...
*/
define('PLUGIN_GOOGLE2FA_ENBUTACTIV', false);
/**
* Enable/Disable button timeless codes in settings.
* For example for admin administration in mysql, ldap, ...
*/
define('PLUGIN_GOOGLE2FA_ENBUTTCODES', false);
/**
* Enable/Disable button reset configuration in settings.
* For example for admin administration in mysql, ldap, ...
*/
define('PLUGIN_GOOGLE2FA_ENBUTTRESET', false); |
/**
* Enable/Disable button activate/deactivate in settings.
* For example for admin administration in mysql, ldap, ...
*/
define('PLUGIN_GOOGLE2FA_ENBUTACTIV', false);
/**
* Enable/Disable button timeless codes in settings.
* For example for admin administration in mysql, ldap, ...
*/
define('PLUGIN_GOOGLE2FA_ENBUTTCODES', false);
/**
* Enable/Disable button reset configuration in settings.
* For example for admin administration in mysql, ldap, ...
*/
define('PLUGIN_GOOGLE2FA_ENBUTTRESET', false);
- Add an IP whitelist that the user can configure the smartphone in the WebApp 2FA settings, if he/she is in the intranet. (Or you deactivate the button for configuration and create the secret key without the plugin.)
/**
* IP Whitelist with comma seperated IP/CIDR netmasks for login without 2FA
* f.e. '192.168.172.0/24,127.0.0.1' or gethostbyname('uri')
*/
define('PLUGIN_GOOGLE2FA_WHITELIST', 'ipwhitelist'); |
/**
* IP Whitelist with comma seperated IP/CIDR netmasks for login without 2FA
* f.e. '192.168.172.0/24,127.0.0.1' or gethostbyname('uri')
*/
define('PLUGIN_GOOGLE2FA_WHITELIST', 'ipwhitelist');
- It’s more secure to generate the QR code on your own server.
/**
* By default, the QR code is generated by Google. Here you can activate the generation on your server with PHPQrCode.
*/
define('PLUGIN_GOOGLE2FA_GENERATEQR', true); |
/**
* By default, the QR code is generated by Google. Here you can activate the generation on your server with PHPQrCode.
*/
define('PLUGIN_GOOGLE2FA_GENERATEQR', true);
MCrypt configuration
- The php extension “php5-mcrypt” has to be installed
- Don’t forget to change the mcrypt key (PLUGIN_GOOGLE2FA_MCRYPTKEY) in config.php
- To change the encryption of an existing user configuration you have to reset the plugin for this user in the WebApp settings
/**
* MCrypt configuration
* Please change the mcrypt key!
* Be careful if you change it later - in case of settings-database every plugin user has to reset the plugin in settings FIRST!
* You can see the supported algorithms and modes with phpinfo().
*/
define('PLUGIN_GOOGLE2FA_MCRYPTKEY', 'hereChangeKey');
define('PLUGIN_GOOGLE2FA_MCRYPTALGORITHM', MCRYPT_DES); // better (only libmcrypt > 2.4.x): MCRYPT_RIJNDAEL_128
define('PLUGIN_GOOGLE2FA_MCRYPTMODE', MCRYPT_MODE_ECB);
define('PLUGIN_GOOGLE2FA_MCRYPTRAND', strncasecmp(PHP_OS, 'WIN', 3)==0 ? MCRYPT_RAND : MCRYPT_DEV_URANDOM); |
/**
* MCrypt configuration
* Please change the mcrypt key!
* Be careful if you change it later - in case of settings-database every plugin user has to reset the plugin in settings FIRST!
* You can see the supported algorithms and modes with phpinfo().
*/
define('PLUGIN_GOOGLE2FA_MCRYPTKEY', 'hereChangeKey');
define('PLUGIN_GOOGLE2FA_MCRYPTALGORITHM', MCRYPT_DES); // better (only libmcrypt > 2.4.x): MCRYPT_RIJNDAEL_128
define('PLUGIN_GOOGLE2FA_MCRYPTMODE', MCRYPT_MODE_ECB);
define('PLUGIN_GOOGLE2FA_MCRYPTRAND', strncasecmp(PHP_OS, 'WIN', 3)==0 ? MCRYPT_RAND : MCRYPT_DEV_URANDOM);
Hi If i want to create the qr image on my server i get an empty box (image can not be generated)
Wat must i install to let this work and create the qr image on my own server?
Chris wrote: Allready find it. Installed PHP-bacon-qr-code. Now it is working!
Answer:
Hi Chris,
that’s strange. The PHP QR code is part of the plugin (see google2fa/php/external/phpqrcode). This code needs two requirements: PHP5 and PHP GD2 extension with JPEG and PNG support (see google2fa/php/external/phpqrcode/INSTALL).
Often this requirements are given. You see the installed extensions with the PHP method “phpinfo();”. Perhaps the installation of “PHP-bacon-qr-code” has activated the GD2 extension.
Have fun with the plugin!
Norman
Hi Norman,
i enabled the timeless codes (one time use)
However they are not working. What could be the problem?
any advise? on the timeless generated codes?