Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No new encryption key is being created when old one exists but password does not match #9761

Closed
devurandom opened this issue Jun 6, 2018 · 4 comments
Closed

No new encryption key is being created when old one exists but password does not match #9761

devurandom opened this issue Jun 6, 2018 · 4 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug feature: encryption (server-side)

Comments

@devurandom
Copy link

devurandom commented Jun 6, 2018
edited
Loading

Steps to reproduce

The following is an assumption how this happened:

  1. Enable encryption
  2. Let time pass
  3. Change user password (LDAP)
  4. Let more time pass
  5. Be unable to provide old key password in "user settings > security"
  6. Make sure to have encryption enabled
  7. Upload a new file
  8. Try to share that file
  9. Find modal dialogue "Private Key missing for user: please try to log-out and log-in again"
  10. Move $USER/files_encryption/OC_DEFAULT_MODULE out of the way
  • It is a folder with an mtime from 2015, from even before the encryption_migration_backup_2016-... folder was last modified
  1. Log out and log in again
  2. Find new files in $USER/files_encryption/OC_DEFAULT_MODULE
  3. Find that sharing files works now

Expected behaviour

  • As long as the old private key is not accessible, because the user could not provide the old password, a new key should be used.
  • The fact that old files cannot be decrypted until the user provides the old password should be highlighted more prominently in the web UI.

Actual behaviour

I cannot share links to newly uploaded files.

Server configuration

Operating system: Gentoo Linux

Web server: Lighttpd 1.4.49

Database: MariaDB 10.1.31

PHP version: 7.1.16

Nextcloud version: 13.0.1

Updated from an older Nextcloud/ownCloud or fresh install: Updated

Where did you install Nextcloud from: Gentoo packages

Signing status:

Signing status 
Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- core
	- EXTRA_FILE
		- .webapp-nextcloud-13.0.1

Raw output
==========
Array
(
    [core] => Array
        (
            [EXTRA_FILE] => Array
                (
                    [.webapp-nextcloud-13.0.1] => Array
                        (
                            [expected] => 
                            [current] => 
                        )

                )

        )

)

List of activated apps:

App list 
Enabled:
  - activity: 2.6.1
  - audioplayer: 2.3.0
  - bookmarks: 0.11.0
  - calendar: 1.6.1
  - comments: 1.3.0
  - contacts: 2.1.5
  - dav: 1.4.6
  - encryption: 2.0.0
  - federatedfilesharing: 1.3.1
  - federation: 1.3.0
  - files: 1.8.0
  - files_pdfviewer: 1.2.1
  - files_retention: 1.2.0
  - files_sharing: 1.5.0
  - files_texteditor: 2.5.1
  - files_trashbin: 1.3.0
  - files_versions: 1.6.0
  - files_videoplayer: 1.2.0
  - firstrunwizard: 2.2.1
  - gallery: 18.0.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.1.0
  - nextcloud_announcements: 1.2.0
  - notifications: 2.1.2
  - oauth2: 1.1.0
  - password_policy: 1.3.0
  - provisioning_api: 1.3.0
  - serverinfo: 1.3.0
  - sharebymail: 1.3.0
  - survey_client: 1.1.0
  - systemtags: 1.3.0
  - tasks: 0.9.6
  - theming: 1.4.5
  - twofactor_backupcodes: 1.2.3
  - twofactor_totp: 1.4.1
  - updatenotification: 1.3.0
  - user_ldap: 1.3.1
  - workflowengine: 1.3.0
Disabled:
  - admin_audit
  - files_external
  - user_external

Nextcloud configuration:

Config report 
{
    "system": {
        "trusted_domains": [
            "***MY DOMAIN***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "13.0.1.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "ldapIgnoreNamingRules": false,
        "forcessl": true,
        "theme": "",
        "maintenance": false,
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "loglevel": 2,
        "forceSSLforSubdomains": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trashbin_retention_obligation": "auto",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "htaccess.RewriteBase": "\/",
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "overwrite.cli.url": "***MY URL***"
    }
}

Are you using external storage, if yes which one: No

Are you using encryption: Yes

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

LDAP config 
| Configuration                 |                                            |
+-------------------------------+--------------------------------------------+
| hasMemberOfFilterSupport      |                                            |
| hasPagedResultSupport         |                                            |
| homeFolderNamingRule          |                                            |
| lastJpegPhotoLookup           | 0                                          |
| ldapAgentName                 | ***MY OWNCLOUD USER DN***   |
| ldapAgentPassword             | ***                                        |
| ldapAttributesForGroupSearch  |                                            |
| ldapAttributesForUserSearch   |                                            |
| ldapBackupHost                |                                            |
| ldapBackupPort                |                                            |
| ldapBase                      | ***MY BASE DN***                             |
| ldapBaseGroups                | ***MY GROUPS BASE DN***                   |
| ldapBaseUsers                 | ***MY USERS BASE DN***                    |
| ldapCacheTTL                  | 600                                        |
| ldapConfigurationActive       | 1                                          |
| ldapDefaultPPolicyDN          |                                            |
| ldapDynamicGroupMemberURL     |                                            |
| ldapEmailAttribute            | mail                                       |
| ldapExperiencedAdmin          | 0                                          |
| ldapExpertUUIDGroupAttr       |                                            |
| ldapExpertUUIDUserAttr        |                                            |
| ldapExpertUsernameAttr        |                                            |
| ldapGidNumber                 | gidNumber                                  |
| ldapGroupDisplayName          | cn                                         |
| ldapGroupFilter               | (&(|(objectclass=posixGroup)))             |
| ldapGroupFilterGroups         |                                            |
| ldapGroupFilterMode           | 0                                          |
| ldapGroupFilterObjectclass    | posixGroup                                 |
| ldapGroupMemberAssocAttr      | memberUid                                  |
| ldapHost                      | ***MY LDAP HOST***                                |
| ldapIgnoreNamingRules         |                                            |
| ldapLoginFilter               | (&(|(objectclass=posixAccount))(uid=%uid)) |
| ldapLoginFilterAttributes     |                                            |
| ldapLoginFilterEmail          | 0                                          |
| ldapLoginFilterMode           | 0                                          |
| ldapLoginFilterUsername       | 1                                          |
| ldapNestedGroups              | 0                                          |
| ldapOverrideMainServer        | 0                                          |
| ldapPagingSize                | 500                                        |
| ldapPort                      | 389                                        |
| ldapQuotaAttribute            |                                            |
| ldapQuotaDefault              |                                            |
| ldapTLS                       | 0                                          |
| ldapUserDisplayName           | cn                                         |
| ldapUserDisplayName2          | mail                                       |
| ldapUserFilter                | (|(objectclass=posixAccount))              |
| ldapUserFilterGroups          |                                            |
| ldapUserFilterMode            | 0                                          |
| ldapUserFilterObjectclass     | posixAccount                               |
| ldapUuidGroupAttribute        | auto                                       |
| ldapUuidUserAttribute         | auto                                       |
| turnOffCertCheck              | 0                                          |
| turnOnPasswordChange          | 0                                          |
| useMemberOfToDetectMembership | 1                                          |
+-------------------------------+--------------------------------------------+

Client configuration

Browser: Firefox 60.0.1

Operating system: Linux

Logs

Web server error log

Web server error log 
Nothing related

Nextcloud log (data/nextcloud.log)

Nextcloud log 
Insert your Nextcloud log here

Browser log

Browser log 
Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

This appears to be related to #427.
@MorrisJobke
Copy link
Member

cc @nextcloud/encryption @blizzz

@MorrisJobke MorrisJobke added feature: encryption (server-side) bug 0. Needs triage Pending check for reproducibility or if it fits our roadmap labels Jun 6, 2018
@blizzz
Copy link
Member

blizzz commented Jun 6, 2018

@schiessle

@muppeth
Copy link

muppeth commented Jun 6, 2018

Additionally, in case of lost password, user could set in the personal settings he cannot update password. it would mean he manually (or automatically) should remove all files and new key upon re-login should be created. Otherwise users with properly lost passwords will have the popup visible until admin removes keys manually for the user.

@nextcloud-bot nextcloud-bot added the stale Ticket or PR with no recent activity label Jul 7, 2018
@schiessle
Copy link
Member

Automatically creating a new key would result in a huge mess, you would have some files encrypted with key1, some with key2, some with key3,... If you are in a state where the key is broken you should really consult you admin and try to figure out what's the best way to solve it

  • (temporarily) Reset password back to old one
  • restore a backup
  • clear your account and update your files again (e.g. if you have a local copy)
  • ...

@nextcloud-bot nextcloud-bot removed the stale Ticket or PR with no recent activity label Aug 10, 2018
This was referenced Sep 6, 2018
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug feature: encryption (server-side)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@devurandom @MorrisJobke @schiessle @blizzz @muppeth @nextcloud-bot