Control Web Panel

Developers => New Modules => Topic started by: rcschaff on February 06, 2020, 12:48:12 AM

Title: Two Factor Authorization Mod
Post by: rcschaff on February 06, 2020, 12:48:12 AM
I have built a Two Factor Authorization Module for CWP.  I have tested it, but please consider this is BETA.   All Issues should be reported to me on this post.

Pre-Requisites.
You need an API key created with ACCOUNT-> list created
After installation, make sure you change User Account -> Themes to the modified theme, and don't allow them to change

Please not that this system works around the CWP login system, and therefore is not infallible, though I did my best to hide that it's there.

TO install:
From root user via ssh:
wget https://schaffner.org/cwp2fa.tar.gz
tar -xzf cwp2fa.tar.gz
cd cwp_2fa/
./install.sh
When prompted, put in your API key
That's it. 

Now log into CWP and you should see a new menu 2Factor Auth directly under Server Settings Menu
(https://image.prntscr.com/image/la9HadooQouWuMc-INT9mQ.png)

Users Menu Appears under CWP Settings
(https://image.prntscr.com/image/Q4DXQ0EjR_KnZKHff4P10A.png)
Title: Re: Two Factor Authorization Mod
Post by: jamshed_206 on February 06, 2020, 02:23:40 PM
Zip File is corrupt. Kindly check again
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 06, 2020, 06:20:21 PM
Not a zip.  It's a tar gzipped
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 06, 2020, 08:15:11 PM
Fixed now.  Not sure why it corrupted.
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 06, 2020, 10:51:04 PM
Here are the checksums for the file cwp2fa.tar.gz
MD5:  a3b85cbb5f67022da228de61224560fc
sha1:  65d80e3cd034d54ef0cf144ae236a42b84468366
sha256:  edb57a36d2df601e1ef4d02020d7c11a1e74109b7d3a895fee53808e510a57e1 
Title: Re: Two Factor Authorization Mod
Post by: thenob on February 20, 2020, 03:59:08 PM
Works great!

Only I bumped into 2 things
-1 Couldn't copy
/usr/local/cwpsrv/htdocs/admin/design/ was read-only due to an SE-linux setting, maybe check it? (ls -Z)

-2 Local time on the server was off with 2 minutes, so every login failed.
Solved it with installing ntpd
So maybe do a check if ntpdate is installed?
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 21, 2020, 04:23:12 AM
md5sum 2b158a964d064639df93697c9aee0b42
sha1sum 5a3cb827e7cc8e9ff7b6892b88c5cb333820af19
sha256sum af36c7e02c5de41d911477fdecdc806d43db8c59e94432488335bc013d4f5e6e

The only update I made was to check for ntp, and install it if it's not installed.

If you have selinux installed, then you must know what you are doing, as CWP disables it by default.
Title: Re: Two Factor Authorization Mod
Post by: annettek on February 21, 2020, 04:24:35 AM
i am gertting this error in cwp admin

Warning: require_once(design/googleAuthenticator.php): failed to open stream: No such file or directory in /usr/local/cwpsrv/htdocs/resources/admin/modules/cwp2fa.php on line 106

Fatal error: require_once(): Failed opening required 'design/googleAuthenticator.php' (include_path='.:/usr/local/cwp/php71/lib/php') in /usr/local/cwpsrv/htdocs/resources/admin/modules/cwp2fa.php on line 106

when trying to create a key

it has stopped me from loggin into my user control panel. also the file manager only loads this /home/google
phpqrcode  not my site files

i reinstalled it to try that now i have 2 entries in the left menu. sorry to be a pain

any help would be great as i really want the use of this mod
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 21, 2020, 05:31:38 AM
make sure you are on the root account
go to where you untarred cwp_2fa

try these
cp -v admin/googleAuthenticator.php /usr/local/cwpsrv/htdocs/admin/design/
cp -v admin/showQRCode.php /usr/local/cwpsrv/htdocs/admin/design/

If you cannot copy them, try chattr -i /usr/local/cwpsrv/htdocs/admin/design and see if they will copy.   It's also possible you have selinux activated.
If it is, you can do
setenforce 0
copy the files
then
setenforce 1
Title: Re: Two Factor Authorization Mod
Post by: annettek on February 21, 2020, 06:03:03 AM
se linux disabled

setenforce: SELinux is disabled

the files are in the correct dir

still same error

/usr/local/cwpsrv/htdocs/admin/design

googleAuthenticator.php
showQRCode.php
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 21, 2020, 06:17:33 AM
Install script has been updated.

Redownload, and rerun the install.

md5sum 8f0f50679d5a37fd49610227b840db60
Title: Re: Two Factor Authorization Mod
Post by: annettek on February 21, 2020, 06:44:29 AM
workd nowe how do i remove the 2 extra entries in left menu i have  now lol.

thanks

so much appericated for this.
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 21, 2020, 06:49:31 AM
Edit

/usr/local/cwpsrv/htdocs/resources/admin/include/3rdparty.php

remove the extra lines ;)

It starts with <noscript>  20 lines or so, end with </script>
Title: Re: Two Factor Authorization Mod
Post by: annettek on February 21, 2020, 07:07:57 AM
ok one last part

/home/google
phpqrcode

the file manager is user control panel loads these dir not the user files home/public_html ect

thanks for the support awsome many many thanks
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 21, 2020, 07:31:28 AM
Correct.  The login user uses /home/google
Title: Re: Two Factor Authorization Mod
Post by: annettek on February 21, 2020, 09:16:36 AM
That means the file manager in the user admin canít be used as no access to user files only the ones I noted before. Then my users canít access their files using built in file manager I will have to not use it thanks

Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 21, 2020, 06:26:29 PM
Once logged in, a session token is set, so you should have full access to everything.  Anything that is not working isn't because of this mod, I can promise you that.
Title: Re: Two Factor Authorization Mod
Post by: annettek on February 21, 2020, 07:49:48 PM
It was perfectly fine before I installed this first version of the mod that was bad. No other mods ect have been previously installed. 200% fine before this The issue never existed before this the fact that it go to the files your mod added shows u it came from your mod
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 21, 2020, 09:26:36 PM
Turn off 2fa for root and see if it persists while it's off.  They may have changed something on the backend.
Title: Re: Two Factor Authorization Mod
Post by: annettek on February 21, 2020, 10:06:46 PM
both root and user are off but still user dir only same:

(https://www.tabletworldstore.com/sshot.png)

as you can see the is a user named google and thats all that loads

(https://www.tabletworldstore.com/shot1.png)
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 21, 2020, 10:13:00 PM
I'll look into it
Title: Re: Two Factor Authorization Mod
Post by: annettek on February 21, 2020, 10:20:59 PM
thanks appericated..

Awsome person willing to help could not ask a stranger for more. 10 out of 10 for this guy.
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 22, 2020, 01:06:13 AM
I have a patch for you:
first:
edit /root/watch.sh file
Remove line 26  "sed -i "s@fastcgi_param   PHP_ADMIN_VA....."
Add in it's place  "   sed -i -re 's@open_basedir(.*)(";)@\1:/home/google\2@' $f     "

then run: 
 sed -i "s@open_basedir =/home/google/:@open_basedir =@g" /usr/local/cwpsrv/conf.d/users/*

finally run:
/root/watch.sh

This should fix the issue for users.  Root would normally start in /tmp, so I don't think it's too big of a bug ;)
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 22, 2020, 01:10:44 AM
Updated md5sum   b100f5a2bd1f02330cd1da2531749b6e

Changelog:

Bugfix of user filemanager displaying /home/google instead of home directory
Added check for ntpd service.  Installs and starts if not installed
install script disables selinux temporarily if it is enabled, then reenables it.
install script notifies how to set proper timezone at end
Title: Re: Two Factor Authorization Mod
Post by: annettek on February 22, 2020, 01:33:01 AM
can you post your original contents of the /root/watch.sh file i think i made mistke lol. im not perfect still learning

lol i screwed it up trying to resolve it now
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 22, 2020, 01:59:46 AM
Original file should be in cwp_2fa folder from untar
Title: Re: Two Factor Authorization Mod
Post by: annettek on February 22, 2020, 02:16:46 AM
evety time i do t get error below maybee i not doinf it right

I/O Error.
/home/

here is file contents i changed

#!/bin/sh
pid=` ps aux | grep -v grep | pgrep -f cron.php`
check_user()
{
echo "//////////User Checks//////////"
cd /usr/local/cwpsrv/var/services/users/login
if [ "$(tail -1 index.php)" == "?>" ] ; then
                return
        fi
chattr -i .
chattr -i *
echo "Moving Files"
cp -f index.php abcdefg.php
cp -f login.php index.php
chattr +i *
chattr +i .
}
check_configs()
{
echo "//////////Config Checks//////////"
FILES=/usr/local/cwpsrv/conf.d/users/*
for f in $FILES
do
if ! grep -q "open_basedir =/home/google" $f; then
    echo updateing $f
     sed -i -re 's@open_basedir(.*)(";)@\1:/home/google\2@' $f   
fi
done
if grep -q "open_basedir = /tmp" /usr/local/cwpsrv/conf.d/users.conf; then
updating users.conf
sed -i "s@fastcgi_param   PHP_ADMIN_VALUE \"open_basedir = /tmp@fastcgi_param   PHP_ADMIN_VALUE \"open_basedir = /home/:/tmp@g" /usr/local/cwpsrv/conf.d/users.conf

fi
/usr/local/cwpsrv/bin/cwpsrv -s reload
find /home/*/.conf/cwp.ini -exec sed -i "s@original@modified@g" {} +

}
check_admin()
{
echo "//////////Admin Checks//////////"
   cd /usr/local/cwpsrv/htdocs/admin/login/
   if [ "$(tail -1 index.php)" == "?>" ] ; then
      return
   fi
   echo "Moving Admin"
   chattr -i .
   chattr -i *
   ls | grep -P "[a-z0-9]{16}" | xargs -d"\n" rm
   RAND_CHARS=$(openssl rand -hex 16)
   mv index.php $RAND_CHARS.php
   cp index_working.php index.php
   sed -i "s@define(\"DO_LOGIN\",\"\");@define(\"DO_LOGIN\",\"$RAND_CHARS.php\");@g" index.php
   chattr +i *
   chattr +i .
}
if [ "$pid" != "" ]; then
while [ -e /proc/$pid ]
do
    sleep .6
done
fi
echo "Start Checks"
check_user
check_admin
check_configs


is that right
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 22, 2020, 03:30:56 AM
Use this, as I forgot to update the check of the user configs was changed as well.
/root/watch.sh
Code: [Select]
#!/bin/sh
pid=` ps aux | grep -v grep | pgrep -f cron.php`
check_user()
{
echo "//////////User Checks//////////"
cd /usr/local/cwpsrv/var/services/users/login
if [ "$(tail -1 index.php)" == "?>" ] ; then
                return
        fi
chattr -i .
chattr -i *
echo "Moving Files"
cp -f index.php abcdefg.php
cp -f login.php index.php
chattr +i *
chattr +i .
}
check_configs()
{
echo "//////////Config Checks//////////"
FILES=/usr/local/cwpsrv/conf.d/users/*
for f in $FILES
do
if ! grep -q "/home/google" $f; then
    echo updateing $f
     sed -i -re 's@open_basedir(.*)(";)@\1:/home/google\2@' $f
fi
done
if grep -q "open_basedir = /tmp" /usr/local/cwpsrv/conf.d/users.conf; then
updating users.conf
sed -i "s@fastcgi_param   PHP_ADMIN_VALUE \"open_basedir = /tmp@fastcgi_param   PHP_ADMIN_VALUE \"open_basedir = /home/:/tmp@g" /usr/local/cwpsrv/conf.d/users.conf

fi
/usr/local/cwpsrv/bin/cwpsrv -s reload
find /home/*/.conf/cwp.ini -exec sed -i "s@original@modified@g" {} +

}
check_admin()
{
echo "//////////Admin Checks//////////"
        cd /usr/local/cwpsrv/htdocs/admin/login/
        if [ "$(tail -1 index.php)" == "?>" ] ; then
                return
        fi
        echo "Moving Admin"
        chattr -i .
        chattr -i *
        ls | grep -P "[a-z0-9]{16}" | xargs -d"\n" rm
        RAND_CHARS=$(openssl rand -hex 16)
        mv index.php $RAND_CHARS.php
        cp index_working.php index.php
        sed -i "s@define(\"DO_LOGIN\",\"\");@define(\"DO_LOGIN\",\"$RAND_CHARS.php\");@g" index.php
        chattr +i *
        chattr +i .
}
if [ "$pid" != "" ]; then
while [ -e /proc/$pid ]
do
    sleep .6
done
fi
echo "Start Checks"
check_user
check_admin
check_configs

Title: Re: Two Factor Authorization Mod
Post by: annettek on February 22, 2020, 03:42:05 AM
/root/watch.sh: line 1: [root@server3: command not found
/root/watch.sh: line 4: syntax error near unexpected token `$'\r''
'root/watch.sh: line 4: `check_user()


after removing the top lines

[root@server ~]# /root/watch.sh
-bash: /root/watch.sh: /bin/sh^M: bad interpreter: No such file or directory
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 22, 2020, 03:45:51 AM
Remove the first line.  Didn't realize it copied
Title: Re: Two Factor Authorization Mod
Post by: annettek on February 22, 2020, 03:50:49 AM
[root@server ~]# /root/watch.sh
-bash: /root/watch.sh: /bin/sh^M: bad interpreter: No such file or directory


#!/bin/sh
pid=` ps aux | grep -v grep | pgrep -f cron.php`
check_user()
{
echo "//////////User Checks//////////"
cd /usr/local/cwpsrv/var/services/users/login
if [ "$(tail -1 index.php)" == "?>" ] ; then
                return
        fi
chattr -i .
chattr -i *
echo "Moving Files"
cp -f index.php abcdefg.php
cp -f login.php index.php
chattr +i *
chattr +i .
}
check_configs()
{
echo "//////////Config Checks//////////"
FILES=/usr/local/cwpsrv/conf.d/users/*
for f in $FILES
do
if ! grep -q "/home/google" $f; then
    echo updateing $f
     sed -i -re 's@open_basedir(.*)(";)@\1:/home/google\2@' $f
fi
done
if grep -q "open_basedir = /tmp" /usr/local/cwpsrv/conf.d/users.conf; then
updating users.conf
sed -i "s@fastcgi_param   PHP_ADMIN_VALUE \"open_basedir = /tmp@fastcgi_param   PHP_ADMIN_VALUE \"open_basedir = /home/:/tmp@g" /usr/local/cwpsrv/conf.d/users.conf

fi
/usr/local/cwpsrv/bin/cwpsrv -s reload
find /home/*/.conf/cwp.ini -exec sed -i "s@original@modified@g" {} +

}
check_admin()
{
echo "//////////Admin Checks//////////"
        cd /usr/local/cwpsrv/htdocs/admin/login/
        if [ "$(tail -1 index.php)" == "?>" ] ; then
                return
        fi
        echo "Moving Admin"
        chattr -i .
        chattr -i *
        ls | grep -P "[a-z0-9]{16}" | xargs -d"\n" rm
        RAND_CHARS=$(openssl rand -hex 16)
        mv index.php $RAND_CHARS.php
        cp index_working.php index.php
        sed -i "s@define(\"DO_LOGIN\",\"\");@define(\"DO_LOGIN\",\"$RAND_CHARS.php\");@g" index.php
        chattr +i *
        chattr +i .
}
if [ "$pid" != "" ]; then
while [ -e /proc/$pid ]
do
    sleep .6
done
fi
echo "Start Checks"
check_user
check_admin
check_configs
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 22, 2020, 03:54:45 AM
Go-to the end of #!/bin/sh and hit enter after the h.  For some reason a carriage return was added to the end of the line.
Title: Re: Two Factor Authorization Mod
Post by: annettek on February 22, 2020, 04:00:40 AM
did that still the same sorry you must be getting sick of me.
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 22, 2020, 04:03:40 AM
cd /root
wget https://schaffner.org/watch.sh
Title: Re: Two Factor Authorization Mod
Post by: annettek on February 22, 2020, 04:08:19 AM
perfect so sorry to be a pain in the ass. i really appericate it you dont know how much.

many many mnay thanks working perfect your awsome
Title: Re: Two Factor Authorization Mod
Post by: rcschaff on February 22, 2020, 04:27:52 AM
Module moved to github: https://github.com/rcschaff82/cwp_2fa

Created new topic noting so and locking this one.