2FA on Roundcube
-
Hi everyone,
In this day and age I feel uneasy not having 2FA on my apps. I realize this could be more of a "feel good" rather than real security measure (the app being protected should be secure in general, not just the login experience).
I've just switched from Rainloop after being ignorant and learning that it's no longer being maintained.
2FA is implemented as a plug-in for Rounbcube. The plugin I see mentioned the most is https://github.com/alexandregz/twofactor_gauthenticator . The instructions on https://docs.cloudron.io/apps/roundcube/ (Plugin section) says I need a tar archive which needs to be extracted into "/app/data/plugins" directory. I cannot find tar for that 2FA plugin anywhere.
I've never done PHP, so not sure if copying the whole repo content advisable, secure, etc.
Would appreciate if anyone shares their experience or advice on this subject.
Thanks!
-
J joseph marked this topic as a question
-
J joseph has marked this topic as solved
-
Wasn't aware git was available in the terminal for each application. Once I cloned the repo directly into RoundCube filesystem and then followed the instructions, everything was easy and simple.
@bazinga said in 2FA on Roundcube:
Once I cloned the repo directly into RoundCube filesystem
Sounds to me like that is perhaps a much better method than what is currently described over at https://docs.cloudron.io/apps/roundcube/#plugins !
-
That’s what I do as well.
Note that for the next
git pull, you’ll probably receive an error redubious ownership(see https://stackoverflow.com/questions/72978485/git-submodule-update-failed-with-fatal-detected-dubious-ownership-in-reposit).
Since you cannot modify.gitconfigglobally to get rid of these warnings (it’s in the read only part of the filesystem), you probably have to change folder permissions temporarily toroot:rootbeforegit pulland switch back towww-data:www-dataafterwards. This can be scripted of course. -
That’s what I do as well.
Note that for the next
git pull, you’ll probably receive an error redubious ownership(see https://stackoverflow.com/questions/72978485/git-submodule-update-failed-with-fatal-detected-dubious-ownership-in-reposit).
Since you cannot modify.gitconfigglobally to get rid of these warnings (it’s in the read only part of the filesystem), you probably have to change folder permissions temporarily toroot:rootbeforegit pulland switch back towww-data:www-dataafterwards. This can be scripted of course.@necrevistonnezr Thank you for your advice! Wouldn't think about ownership change, but will keep in mind from now on.
One "good" thing about RoundCube plugins is that they are not updated, it seems, ever
So, may not need to update those plugins ever, haha. -
@bazinga said in 2FA on Roundcube:
Once I cloned the repo directly into RoundCube filesystem
Sounds to me like that is perhaps a much better method than what is currently described over at https://docs.cloudron.io/apps/roundcube/#plugins !
@jdaviescoates Yep, essentially I do the following (I've added 5-6 plugins, not sure why they are not added by default by Cloudron devs):
- Open terminal for RoundCube
- git clone ....
chown -R www-data:www-data PLUGIN_DIR_NAME- Open File Manager for RoundCube
- Edit "customconfig.php" and add the plugin in there similar to:
array_push($config['plugins'], 'twofactor_gauthenticator');
-
Notwithstanding that it’s super annoying that 2FA is not built in. I hate outsourcing core features to „add-ons“ with a passion (see also Nextcloud)
-
Notwithstanding that it’s super annoying that 2FA is not built in. I hate outsourcing core features to „add-ons“ with a passion (see also Nextcloud)
@necrevistonnezr Completely agree with you. Boggles my mind. I too think features like 2FA and Captcha should be built-in.
