Stop using passwords in Plesk

Why do you need it?

The use of passwords for authentication has its own nuances. Difficult passwords are difficult to remember, easy passwords can be picked up. If you need a few dozen passwords, then it becomes painful to remember them all. Passwords start to write. It is good if it is something like the 1password program, otherwise it may be “a piece of paper on the monitor / under the keyboard” or start using the same password for different services (even if it is complicated). Someone may justly assume that his passwords do not cost 3 thousand rubles for 1 password (the program costs in the Mac App Store). As a result, a thought arises: how to reduce the number of passwords that need to be remembered and, preferably, without much damage to security.

In Plesk, starting with version 12.0, a number of options have appeared that allow you not to use passwords stored directly in the product. Basically, all the options discussed below are extensions for Plesk. You can find and put each of them, if you go to the panel under the administrator and then to Extensions (in the left menu), then go to the Extensions Catalog. But for clarity, I will provide links to the Extensions Catalog site .

LDAP Auth

The very first and, perhaps, the simplest extension that I would like to consider is LDAP Auth . This extension helps teach Plesk how to authenticate clients using LDAP. The client must already have already been created in Plesk and not be in a locked state.
')
After installing the extension, go to the settings, turn it on, specify the host and prefix for the login. An example of how this might look in integration with Active Directory is in the screenshot below:


We actively use this extension on those Plesk that are installed inside the company.

Social Auth

The next extension is Social Auth . It allows you to organize authentication through social services. From the point of view of the administrator, setting up this extension is much more complicated. But the end result is worth it.

Suppose you want to organize authentication in Plesk using Google Account. Integration is not done directly with each service, but with the help of the oneall.com aggregator. This method in some cases much easier and faster allows you to achieve the desired result. We register the account in oneall, set up the necessary service or services, return to Plesk and in the extension settings enable authentication, specify the keys for oneall and select the necessary services:


Once all the settings have been made, additional buttons will appear on the login page for logging in to the panel through social services.


I actively use this extension on Plesk, which are installed on external servers (outside the local intranet), where I am the administrator.

Google Authenticator

Two-factor authentication is provided as a Google Authenticator extension.

On the phone you need to install an application with the same name . Next, install the extension in the panel and enable it in the settings. In order to configure the extension, you need to scan the QR code by the application on the phone:


Next, when you enter the panel, you will be asked to verify the verification code, which you can find out in the Google Authenticator application on your phone:

Clef

A vivid impression on all sorts of presentations is made by the demonstration of the work of the Clef extension. This extension allows, using a mobile phone, to perform authentication in the panel.

Install the application on the phone, install the extension in the panel and link. Linking is done very simply, just in a couple of clicks. After that, on the login page there is another button “Login using the phone”. It works like this:



The next moment we get to the panel. And everything happened without touching the keyboard :)

Find out more information about the Clef itself on the official website .

I use this extension sometimes on one of the servers. But usually laziness makes you turn to the less secure option, which is more convenient for me, through the Social Auth extension and authentication using Google Account.

Using Tokens

Another option for client authentication in the panel can be the use of tokens. This is not about any particular expansion, but about integration. Suppose we are a hosting provider and we have a personal user account. In the dashboard, we want to have the “Login to Plesk” button.

Instead of getting the user to the Plesk login page and having to enter their username and password, you can organize the autologin procedure (assuming that the user has already been authenticated in a certain “Personal Account”).

The autologin mechanism looks like this: we request a client token by the API under the administrator, create a URL for autologin and provide it to the browser for the user.

Link to the official documentation on this topic with details - Automatic Logging In to Plesk .

Ssh keys

The last extension I would like to consider is SSH Keys . Above, we talked about client authentication in the control panel. However, one of the main things in the panel is still managing hosting and files on the domain. To manage the files, you can use the web interface, FTP access or SSH access. Instead of storing system users' passwords, you can install the SSH Keys extension, add keys and use them for authentication.

After installing the extension go to the subscription we need. On Websites & Domains a new SSH Keys button appeared on the right.


There is a list of keys and the ability to add a new key.


In order to be able to use SSH, you need to enable shell usage for a specific user. This is done on Websites & Domains -> Web Hosting Access. For example, select / bin / bash and save the form.


I actively use this extension in almost all Plesk installations. Remembering a lot of passwords from various domains (system users) - beyond my strength :)

Creating your own mechanism

If, for some reason, all of the above was not enough, you can create your own authentication mechanism. To do this, use the Extensions SDK. In particular, the API Authentication Hook will be useful.

As an example, you can look at the sources of the LDAP Auth extension - they are open.

Summary

Thus, if you use Plesk and you're tired of password authentication, you can try other options. Some of them may seem very curious and like for daily use.