[#14051] Two Factor Authentication
Summary Two Factor Authentication
Queue Horde Base
Queue Version Git master
Type Enhancement
State Accepted
Priority 1. Low
Owners
Requester jurekam@gmail.com
Created 2015-07-12 (2295 days ago)
Due
Updated 2020-07-02 (478 days ago)
Assigned
Resolved
Milestone
Patch No

Comments
jurekam@gmail.com 2015-07-12 14:03:11
I'm sure this has been brought up before, but I can't find it.  Two 
Factor authentication would be great to have implemented.  I just 
switched from a Roundcube install and it had a plugin for it which 
worked great.  Two Factor authentication has become the standard these 
days and your product is lacking in this regard.  Please implement 
this ASAP.

Michael Rubinsky <mrubinsk@horde.org> 2015-07-12 14:39:15
This is unlikely to happen anytime soon without someone sponsoring the 
work, or providing patches. Also, please check the mailing list archive.

christoph.haas@ukbw.de 2015-11-18 21:39:03
> I'm sure this has been brought up before, but I can't find it.  Two 
> Factor authentication would be great to have implemented.  I just 
> switched from a Roundcube install and it had a plugin for it which 
> worked great.  Two Factor authentication has become the standard 
> these days and your product is lacking in this regard.  Please 
> implement this ASAP.

well, a 2-factor authentication can easily be done:
1. configure Horde for PAM-Authentication
2. use the Google authenticator PAM-module, or the pam-u2f-module for 
e.g. Yubikey
... and you're done.

Cheers from Stuttgart / BW / Germany
Christoph.

christoph.haas@ukbw.de 2016-04-13 08:53:49
Hello,

> well, a 2-factor authentication can easily be done:
> 1. configure Horde for PAM-Authentication
> 2. use the Google authenticator PAM-module, or the pam-u2f-module 
> for e.g. Yubikey
> ... and you're done.
>
> Cheers from Stuttgart / BW / Germany
> Christoph.

I had now the time to investigate further on this topic. It isn't as 
easy as mentioned in my last comment ...
Thus the below PAM-config works, tested e.g. as PAM-config for "su", 
it doesn't do so with Horde :-((
PAM-authentication works if I remove the google_authenticator part ...
(just for the records: my system runs on a Debian Jessie amd64)

/etc/pam.d/horde
auth requisite pam_google_authenticator.so forward_pass
auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 
use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so


-->> the login credential with this PAM-config consists of the 
user-password and the one-time-password from the Google Authenticator.
E.g. if the user-password is: mysecretpwd
and the Google OTP: 123456
the login credential would be: mysecretpwd123456

but in /var/log/syslog
HORDE: [horde] FAILED LOGIN for haasc to horde (172.16.1.2) [pid 10073 
on line 199 of "/var/www/html/horde/login.php"]
HORDE: [gollem] PHP ERROR: Invalid argument supplied for foreach() 
[pid 10073 on line 338 of "/var/www/html/horde/gollem/lib/Auth.php"]

... and the login is denied with a error on the Horde-login-screen:
"Cannot make/remove an entry for the specified session (in pam_authenticate)"

Clueless - where is my bug?
Christoph.


thierry@freebsd.org 2019-12-17 07:23:37
> I'm sure this has been brought up before, but I can't find it.  Two 
> Factor authentication would be great to have implemented.  I just 
> switched from a Roundcube install and it had a plugin for it which 
> worked great.  Two Factor authentication has become the standard 
> these days and your product is lacking in this regard.  Please 
> implement this ASAP.

Any progress on this subject?

copelius@neomailbox.ch 2020-05-24 21:20:15
>> I'm sure this has been brought up before, but I can't find it.  Two
>> Factor authentication would be great to have implemented.  I just
>> switched from a Roundcube install and it had a plugin for it which
>> worked great.  Two Factor authentication has become the standard
>> these days and your product is lacking in this regard.  Please
>> implement this ASAP.
>
> Any progress on this subject?

Any progress on this, please??

build+horde@de-korte.org 2020-05-25 05:11:21
It has been made abundantly clear why this isn't implemented. Unless 
something is done about the reason why (lack of funding), it makes no 
sense to keep asking.

Klaus.Steinberger@physik.uni-muenchen.de 2020-07-02 14:57:59
it would be really great to have a integration with LINOTP   
https://www.linotp.org/