MFA fails randomly

Installation Issues
1

Hi,

Lately we’ve been experiencing issue with the mfa again, before it was timesyncing issue but we eliminated that and it was fine for a couple of months but now it’s happening again. After setting up mfa it works for some time then it starts failing collectively.
We use on prem passbolt installed on ubuntu 22.04 and chrony as a timesync client syncing with pool.ntp.org .
The time is synced and on point.
Restarting the server or chrony doesn’t solve the issue.
Any ideas where i should start looking?

Healthcheck:
"
____ __ ____
/ __ ____ _____ / / ____ / / /
/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

Healthcheck shell…

Environment

[PASS] PHP version 8.1.2-1ubuntu2.17.
[PASS] PHP version is 8.1 or above.
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Cache is working.
[PASS] Debug mode is off.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to ********
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates.
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate.

SMTP settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No custom SSL configuration for SMTP server.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled.
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one.
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

Application configuration

[PASS] Using latest passbolt version (4.8.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema up to date.

Database

[PASS] The application is able to connect to the database
[PASS] 49 tables found.
[PASS] Some default content is present.

Directory Sync

[WARN] The endpoints for updating the users directory configurations are enabled.
[HELP] It is recommended to disable endpoints for updating the users directory configurations.
[HELP] Set the PASSBOLT_SECURITY_DIRECTORY_SYNC_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.directorySync.endpointsDisabled to true in /etc/passbolt/passbolt.php.

SSO

[PASS] SSL certification validation for SSO instance is enabled.

[PASS] No error found. Nice one sparky!
"

2

Hello @matreicht,
Sometimes time synchronization issues are also related to the client iself.

Can you confirm that both the server and client are time synchronized? Also, which error do you have with MFA? We need some details in order to understand what could be happening

3

Hello antony,

The client and a server are both time synchronized and have the same time.
Error:
The server responds with invalid otp code and users cannot log in to their account unless mfa is disabled manually.

4

I saw that you were on ubuntu but have you enabled SELinux or AppArmor ?

After censoring the fullBaseUrl and so on, could you share the full output of the status report?

sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/status-report" www-data

This should contain the datacheck, cleanup dry run, server logs and the healthCheck that you already shared.

  • Also, do you see any errors on the browser extension logs console after reproducing the error?
  • Is it happening for all of your users?

Thanks :slight_smile:

5

Hi,
No selinux or apparmor enabled, i can’t confirm the all users part since the 1 month for mfa runs out at different times for everyone, i received complaints about many users. Reseting the mfa fixes the issue for the user until it starts failing again. No errors in the browser extension logs.

Here’s the status report:
____ __ ____
/ __ ____ _____ / / ____ / / /
/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

Passbolt PRO 4.8.0
Cakephp 4.5.2
Linux t-passbolt 5.15.0-112-generic #122-Ubuntu SMP Thu May 23 07:48:21 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
PHP 8.1.2-1ubuntu2.17 (cli) (built: May 1 2024 10:10:07) (NTS)
mysql Ver 8.0.37-0ubuntu0.22.04.3 for Linux on x86_64 ((Ubuntu))
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

Healthcheck shell

Environment

[PASS] PHP version 8.1.2-1ubuntu2.17.
[PASS] PHP version is 8.1 or above.
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Cache is working.
[PASS] Debug mode is off.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to ***********
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates.
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate.

SMTP settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No custom SSL configuration for SMTP server.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled.
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one.
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

Application configuration

[PASS] Using latest passbolt version (4.8.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema up to date.

Database

[PASS] The application is able to connect to the database
[PASS] 49 tables found.
[PASS] Some default content is present.

Directory Sync

[WARN] The endpoints for updating the users directory configurations are enabled.
[HELP] It is recommended to disable endpoints for updating the users directory configurations.
[HELP] Set the PASSBOLT_SECURITY_DIRECTORY_SYNC_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.directorySync.endpointsDisabled to true in /etc/passbolt/passbolt.php.

SSO

[PASS] SSL certification validation for SSO instance is enabled.

[PASS] No error found. Nice one sparky!

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

Cleanup shell (dry-run)

3 issues found in table Groups (with no members)
3 issues detected, please re-run without --dry-run to fix.

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

Data check shell
[PASS] Data integrity for AuthenticationTokens.
[PASS] Can validate: 2328/2328
[PASS] Data integrity for Comments.
[PASS] Can validate: 0/0
[PASS] Data integrity for Favorites.
[PASS] Can validate: 0/0
[PASS] Data integrity for Gpgkeys.
[PASS] Can encrypt: 27/27
[PASS] Pass validation service checks: 27/27
[PASS] Entity data and armored key data matches: 27/27
[PASS] Is not expired: 27/27
[PASS] Is armored key format valid: 27/27
[PASS] Data integrity for Groups.
[PASS] Can validate: 9/9
[PASS] Data integrity for Profiles.
[PASS] Can validate: 39/39
[PASS] Data integrity for Resources.
[PASS] Can validate: 1859/1859
[PASS] Data integrity for Secrets.
[PASS] Can validate: 7816/7816
[PASS] Data integrity for Users.
[PASS] Can validate: 39/39

6

Hey,

I noticed something weird today, I checked the outgoing email logs and I saw that the time is wrong within passbolt, the email log stated that the email was sent out at 11:14:16 while the time according to the OS was 13:14:16. How come OS time and passbolt time differ?

7

Since it is exactly a 2 hour difference it looks like UTC vs your current time zone. Do you happen to be in a country that is currently in UTC+2?

8

Yes I am. It does look like time zone diff. Is there a separate setting within passbolt for time zones?

9

Hey, I searched the php coding of passbolt and have seen that the default timezone setting is UTC for , but don’t see where/if it is being overruled by the time settings of the OS (in previous versions it worked fine). I also edited the php.ini [Date] date.timezone parameter hoping it would be applied to passbolt unfortunately with no success. Any ideas what to try next?

10

For the email timezone we don’t currently have a way to really change this. We do have an internal ticket(PB-24267) as this has been requested a couple times. We initially went with UTC as the default time since it is usually easier for organizations operating in multiple timezones and since the logs tend to also be in UTC it makes for easier comparison.

Regardless, having the server in UTC vs you being in UTC+2 shouldn’t have any bearing on the MFA issue you were having. Since you mentioned it works for roughly a month after re-enabling it for a user it would seem like there is a very minuscule drift either on the clients generating the codes or the server itself.

How are your users generating the codes? Is everyone using whatever they want or do you have a centralized service for that?

Additionally could you post the output from timedatectl status on the server? That way maybe we can see if there is an offset or if it is running into issues keeping in sync

11

Hi,

Everybody uses whatever they prefer, ms or google authenticators mainly.
timedatectl status:
Local time: Fri 2024-06-21 09:01:17 CEST
Universal time: Fri 2024-06-21 07:01:17 UTC
RTC time: Fri 2024-06-21 07:01:09
Time zone: Europe/Budapest (CEST, +0200)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no

12

It looks like you’ve got an 8 second difference there

13

I corrected the 8 seconds now. It seems to be working but i need to test it in the long run, also 8 seconds diff shouldn’t cause the entire mfa to fail, should it?

14

8 seconds could be enough to throw off MFA for users. Might be worth monitoring to see if the drift comes back or not and compare that to the MFA failures if they happen again.