Setup Yukibey by ENV_VAR has no effect

squaloo · June 9, 2023, 7:27am

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Hi, I’m using CE version 3.12 which supports Yubikey MFA.

I’ve read and followed this Passbolt Help | How to configure passbolt to use Yubikey OTP

I’m using docker, so I tried the ENV_VAR approach without success.
I’ve tried the Admin UI => it worked ?!

In /app/administration/mfa the “Yubikey” is not / does not stay activated.

There’s nothing in the logs (just, nothing I mean : I see navigations logs, no messages relative to yubikey configuration failing)

here’s an example of what I see

10.1.3.180 - - [09/Jun/2023:07:10:38 +0000] "GET /auth/is-authenticated.json HTTP/1.1" 200 261 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"
10.1.3.180 - - [09/Jun/2023:07:10:38 +0000] "GET /auth/is-authenticated.json HTTP/1.1" 200 261 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"
10.1.3.180 - - [09/Jun/2023:07:10:43 +0000] "GET / HTTP/1.1" 302 5 "-" "ELB-HealthChecker/2.0"

My setup is as follow

AWS hosted
Docker in ECS
a Load Balancer in front of passbolt

in the end it works, but for my setup ENV VAR support would be far better.

garrett · June 9, 2023, 1:08pm

Hi @squaloo Since you didn’t mention the variables you used I thought I would post a link to a PR as they are also not currently listed on the passbolt Docker variables page on the help site. I figured you dug into the code but just in case.

remy · June 9, 2023, 1:22pm

We’ll try to reproduce this issue, maybe there is a regression.
Best,

pabloelcolombiano · June 9, 2023, 2:35pm

Hi @squaloo ,

the documentation might indeed miss one env variable:
PASSBOLT_PLUGINS_MFA_PROVIDERS_YUBIKEY=true
is missing.

Setting the env variables as followed worked for me:

PASSBOLT_PLUGINS_MFA_PROVIDERS_YUBIKEY=true
PASSBOLT_PLUGINS_MFA_YUBIKEY_CLIENTID=123
PASSBOLT_PLUGINS_MFA_YUBIKEY_SECRETKEY="foo"

Do you confirm? In any case we will update the doc.

squaloo · June 10, 2023, 7:25am

I’ve just tried as follow :

went in Admin UI, deactivated Yubikey MFA
stopped container
started it again with the new env var (At the moment I have the 3 you mention above)

=> did not work, Yubikey MFA was still deactivated.

maybe it could be related to the fact that I once used the admin UI, as it has priority over env vars ?
(if you’d like I can check something in DB and see if there’s a configuration remnant, just tell me where)

AnatomicJC · June 10, 2023, 5:41pm

If you want to check in db, you may find something in organization_settings table.

squaloo · June 12, 2023, 6:13am

Great ! indeed, when deactivating with the Admin UI, a record stays in DB (which is perfectly fine), with a ‘modified’ date and no values for yubikey client id / secret.

I removed the line and restarted the container with the 3 env variables … => YubiKey is activated as expected.

Thank you all again.