[Solved] Login asking for 2FA code when not setup

I have a MIAB 0.51 install that has just started asking me for a 2FA code to login to the admin panel when I didn’t set this up. How can I get into my admin panel?

edit: Tested from Firefox on Linux and Chrome on Windows.

I have “reinstalled” 0.51 by running curl -s https://mailinabox.email/setup.sh | sudo bash but this has not fixed the issue. How do I disable 2FA from the command line?

edit: There’s nothing about how 2FA is implemented in the security notes: https://github.com/mail-in-a-box/mailinabox/blob/master/security.md

edit2: Turns out 2FA can be disabled via a command line tool. For the sake of others that this happens to here’s how to disable it:

me@box:~/mailinabox/management$ sudo ./cli.py user mfa show me@email.com
[sudo] password for me:
id,type,label
1,totp,
me@box:~/mailinabox/management$ sudo ./cli.py user mfa disable me@email.com 1
OK

After this I was able to log in.

1 Like

@fspoettel Can you have a look? This should not happen, should it?

Thanks for the ping @hija .

Something doesn’t add up here. @crc32 are you sure that you did not set it up at some point? If not, are you sure that no one else is accessing the miab admin account in question?

The command that “disables” 2FA really only removes existing credentials from the database. In order for this to have any effect someone must have added one in the first place.

I can see no other way that this could have happened, especially given that there was an existing credential in the database.

1 Like

At no stage did I set up 2FA and I don’t recall looking at the settings page for 2FA. No one else has access to the admin login. This account uses a strong, unique, randomly generated password and although there’s no way to be 100% sure that a malicious actor hasn’t accessed the account there has been no other signs of it and I find it highly unlikely that someone would break in to my admin panel just to turn 2FA on.

One change I did make was run the ./owncloud-unlockadmin.sh script on this account but did not make any changes to the Nextcloud install - I just needed to check some contact group settings.

To enable 2FA you have to enter an OTPs from an app in the admin panel. I cannot imagine, that you did that without remembering it. I just looked into the code and I also don’t see how one could activate 2FA without actively wanting to. I think it’s best to wait if that bug pops up for other users too.

@hija I’m not (yet) convinced that this is a bug. There is no way to create a credential without either using the admin panel UI or send a specific sequence of curl requests with an API key credential.

@crc32 This is an odd one. The only thing that I’m sure of is that the system does not create entries in the credentials table by itself at any point. Maybe we can exclude some other possibilities:

  • Do you access your miab via the curl HTTP API? Did you store your miab credentials in another system at any point in time?
  • Are there other admin accounts on your box? Admins can only turn on 2FA for themselves but if there is a bug or edge case in that code, this might explain the problem.

I find it highly unlikely that someone would break in to my admin panel just to turn 2FA on.

I agree that this does seem pointless in the context of miab. However, turning on 2FA for an account is the first action malicious actors take once they have access to an account. It locks out the original owner and is irreversible in a lot of cases where customer service has to be involved to disable it again.

1 Like

Sorry to take so long to reply @fspoettel.

I haven’t accessed MIAB using the API.

There are two other admins on the box and one of them uses 2FA. I’m not sure if they enabled it around the time of my issue.