Hello, I am using seafile server 8.0.2 with https behind nginx. 2FA is enabled. I tried to setup webdav according to the instructions in the seafile manual. However, I am unable to connect to webdav. The error message on a linux client is: Could not authenticate to server: rejected Basic challenge
In the seafdav.log file on the server, a message is: “Two factor auth is enabled, no access to webdav.” <-- Does this message mean that there is no possibility to access webdav with 2FA enabled? Is there some way around this, other than disabling 2FA?
Thanks @92lleo. It seems, based on the thread you referenced, that with 8.0.2, users can either use webdav and forego 2FA, or they can enable 2FA and forego webdav. It’s not possible to use both using e.g. an application specific password for webdav or some other scheme. Now I regret updating
While it’d be great for this to be fixed, I think this thread can be closed since the current state of affairs does not support 2FA as well as webdav at the same time. Hopefully, the documentation/changelog is updated to reflect this.
This is the second major Seafile upgrade that breaks webdav for me, but now this is irreversible.
I need both 2FA and webdav to work. Before breaking a behavior, an alternative such as app passwords should have been implemented.
At the very least, an option should be available to keep the v7 behavior (with a big security disclaimer message) until app passwords are implemented.
Obviously I have no real right to complain (not an enterprise customer), Seafile is pretty solid besides webdav, but the regressions will make people go find alternatives.
When 2FA is enabled, you can still use webdav secret to login to webdav. The secret bypasses the 2FA mechanism so it allows users to login to webdav. With normal passwords, webdav protocol doesn’t support 2FA login.
Thanks for integrating this . It would be great to have the ability to limit libraries that are accessible via webdav. so that even when you have the app specific password the attacker is only able to access “less critical” data. Another option would be a combination of a token added to the url to access the webdav server and an app specific password (no security expert here though).
. It would be great to have the ability to limit libraries that are accessible via webdav. so that even when you have the app specific password the attacker is only able to access “less critical” data. Another option would be a combination of a token added to the url to access the webdav server and an app specific password (no security expert here though).