From 2a593f31c62446302dc98033737a5002c08ebe49 Mon Sep 17 00:00:00 2001 From: Christoph Wurst Date: Mon, 11 Mar 2024 08:31:30 +0100 Subject: [PATCH] feat(admin): occ twofactor:cleanup/disable Signed-off-by: Christoph Wurst --- .../configuration_server/occ_command.rst | 6 +++-- .../configuration_user/two_factor-auth.rst | 23 +++++++++++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/admin_manual/configuration_server/occ_command.rst b/admin_manual/configuration_server/occ_command.rst index 92713f827..c64f45879 100644 --- a/admin_manual/configuration_server/occ_command.rst +++ b/admin_manual/configuration_server/occ_command.rst @@ -1,3 +1,5 @@ +.. _occ: + ===================== Using the occ command ===================== @@ -1729,13 +1731,13 @@ In the case of a user losing access to the second factor (e.g. lost phone with two-factor SMS verification), the admin can try to disable the two-factor check for that user via the occ command:: - sudo -u www-data php occ twofactor:disable + sudo -u www-data php occ twofactorauth:disable .. note:: This is not supported by all providers. To re-enable two-factor auth again use the following commmand:: - sudo -u www-data php occ twofactor:enable + sudo -u www-data php occ twofactorauth:enable .. note:: This is not supported by all providers. diff --git a/admin_manual/configuration_user/two_factor-auth.rst b/admin_manual/configuration_user/two_factor-auth.rst index a474cf76d..478fc087b 100644 --- a/admin_manual/configuration_user/two_factor-auth.rst +++ b/admin_manual/configuration_user/two_factor-auth.rst @@ -1,3 +1,5 @@ +.. _two-factor-auth: + ========================= Two-factor authentication ========================= @@ -31,6 +33,16 @@ Once 2FA has been enabled, users have to `activate it in their personal settings .. TODO ON RELEASE: Update version number above on release +Disabling two-factor authentication +----------------------------------- + +Two-factor providers can be disabled via :ref:`occ `:: + + sudo -u www-data php occ twofactorauth:disable + +User are free to enable this provider again via their personal settings. + +.. note:: This operation has to be supported by the provider. If this support is missing, Nextcloud will abort and show an error. Enforcing two-factor authentication ----------------------------------- @@ -53,3 +65,14 @@ a user has 2FA enforced: * If no groups are selected, 2FA is enabled for everyone except members of the excluded groups * If groups are selected, 2FA is enabled for all members of these. If a user is both in a selected *and* excluded group, the selected takes precedence and 2FA is enforced. + +Provider removal +---------------- + +Nextcloud keeps records about the enabled two-factor authentication providers of every user. If a provider is simply removed/:ref:`disabled `, Nextcloud will still consider the provider active for the user at login and show a warning like *Could not load at least one of your enabled two-factor auth methods*. + +The associations of removed providers can be cleaned up via :ref:`occ `:: + + sudo -u www-data php occ twofactorauth:cleanup + +.. warning:: This operation is irreversible. Only run it for providers you do not intend to enable again.