Two factor auth is enabled, no access to webdav

sagarbehere · January 11, 2021, 10:44pm

Hello, I am using seafile server 8.0.2 with https behind nginx. 2FA is enabled. I tried to setup webdav according to the instructions in the seafile manual. However, I am unable to connect to webdav. The error message on a linux client is: Could not authenticate to server: rejected Basic challenge

In the seafdav.log file on the server, a message is: “Two factor auth is enabled, no access to webdav.” <-- Does this message mean that there is no possibility to access webdav with 2FA enabled? Is there some way around this, other than disabling 2FA?

92lleo · January 12, 2021, 4:24pm

See Disable webdav for users that have 2fa enabled

sagarbehere · January 12, 2021, 9:58pm

Thanks @92lleo. It seems, based on the thread you referenced, that with 8.0.2, users can either use webdav and forego 2FA, or they can enable 2FA and forego webdav. It’s not possible to use both using e.g. an application specific password for webdav or some other scheme. Now I regret updating

While it’d be great for this to be fixed, I think this thread can be closed since the current state of affairs does not support 2FA as well as webdav at the same time. Hopefully, the documentation/changelog is updated to reflect this.

seb · January 31, 2021, 11:24am

This is the second major Seafile upgrade that breaks webdav for me, but now this is irreversible.

I need both 2FA and webdav to work. Before breaking a behavior, an alternative such as app passwords should have been implemented.

At the very least, an option should be available to keep the v7 behavior (with a big security disclaimer message) until app passwords are implemented.

Obviously I have no real right to complain (not an enterprise customer), Seafile is pretty solid besides webdav, but the regressions will make people go find alternatives.

92lleo · January 31, 2021, 12:23pm

8.0.3 supports app-passwords now. Haven’t tested it myself yet.

Jonathan · February 1, 2021, 3:53am

You can try ENABLE_WEBDAV_SECRET option in seahub_settings.py: https://manual.seafile.com/config/seahub_settings_py/

vootoo · February 1, 2021, 11:33am

Does it help?

Jonathan · February 15, 2021, 6:25am

When 2FA is enabled, you can still use webdav secret to login to webdav. The secret bypasses the 2FA mechanism so it allows users to login to webdav. With normal passwords, webdav protocol doesn’t support 2FA login.

mydoom · February 20, 2021, 5:08pm

Thank you for giving us this feature

vootoo · February 23, 2021, 2:19am

thank you！

alexw1982 · April 14, 2021, 11:25am

Thanks for integrating this . It would be great to have the ability to limit libraries that are accessible via webdav. so that even when you have the app specific password the attacker is only able to access “less critical” data. Another option would be a combination of a token added to the url to access the webdav server and an app specific password (no security expert here though).