Stop using passwords in Plesk
Why is this needed?
Using passwords for authentication has its own nuances. Complex passwords are hard to remember, easy passwords can be picked up. If you need dozens of passwords, then remembering them all becomes painful. Passwords begin to be recorded. It’s good if it’s something like the 1password program, otherwise it can be a “piece of paper on the monitor / under the keyboard” or start using the same password for different services (even if it’s complicated). Someone can rightly believe that his passwords do not cost 3 thousand rubles for 1password (the program costs so much in the Mac App Store). As a result, the thought arises: how to reduce the number of passwords that need to be remembered and, preferably, without much damage to security.
Starting with version 12.0, Plesk introduced a number of options that allow you to avoid using passwords stored directly in the product. Basically, all the options discussed below are extensions for Plesk. You can find and install each of them if you go to the panel under the administrator and then go to Extensions (in the left menu), and then go to the Extensions Catalog. But for clarity, I will provide links to the Extensions Catalog website .
The very first and perhaps the simplest extension that I would like to consider is LDAP Auth . This extension allows you to teach Plesk to authenticate clients using LDAP. Previously, the client must already be created in Plesk and not be in a locked state.
After installing the extension, go to the settings, turn it on, specify the host and prefix for the login. An example of how this might look in integration with Active Directory is in the screenshot below:
We are actively using this extension on those Plesk installed internally.
The next extension is Social Auth . It allows you to organize authentication through social services. From an administrator’s point of view, configuring this extension is noticeably more complicated. But the end result is worth it.
Let's say you want to organize authentication in Plesk using a Google Account. Integration is not done directly with each service, but with the help of the oneall.com aggregator . This method in some cases is much simpler and faster to achieve the desired result. We register an account in oneall, configure the necessary service or services, return to Plesk and enable authentication in the extension settings, specify the keys for oneall and select the necessary services:
Once all the settings have been completed, additional buttons will appear on the login page to enter the panel through social services.
I actively use this extension on Plesk, which are installed on external servers (outside the local intranet), where I am the administrator.
Two-factor authentication is presented as a Google Authenticator extension .
On the phone you need to install an application with the same name . Next, install the extension in the panel and enable it in the settings. In order to configure the extension, you need to scan the QR code on the phone application:
Next, when you enter the panel, you will be asked a verification code, which you can find out in the Google Authenticator application on your phone:
A vivid impression on various presentations is made by the demonstration of the work of the Clef extension . This extension allows, using a mobile phone, authentication in the panel.
Install the application on the phone, install the extension in the panel and connect. Linking is very simple, literally in a couple of clicks. After that, on the login page there is another button “Login using phone”. It works something like this:
The next moment we get into the panel. And everything happened without touching the keyboard :)
You can find out more information about Clef on the official website .
I use this extension sometimes on one of the servers. But usually laziness forces me to turn to a less secure, but more convenient option for me through the Social Auth extension and authentication using Google Account.
Another option for client authentication in the panel can be the use of tokens. It's not about any specific extension, but about integration. Suppose we are a hosting provider and we have a personal user account. In your personal account we want to have the “Enter Plesk” button.
Instead of the user getting to the Plesk login page and having to enter his login and password, you can organize an auto-login procedure (assuming that the user has already authenticated in a certain “Personal Account”).
The autologin mechanism is as follows: we request a token for the client using the API under the administrator, we create a URL for the autologin and provide it to the user’s browser.
A link to the official documentation on this topic with details -Automatic Logging In to Plesk .
The last extension I'd like to consider is SSH Keys . Above we talked about client authentication in the control panel. However, one of the main things in the panel is still managing the hosting and files on the domain. You can use the web interface, FTP access or SSH access to manage files. Instead of remembering the passwords of system users, you can install the SSH Keys extension, add keys and use them for authentication.
After installing the extension, go to the subscription we need. On Websites & Domains, a new SSH Keys button has appeared on the right.
There is a list of keys and the ability to add a new key.
In order to be able to use SSH, you need to enable the ability to use a shell for a particular user. This is done on Websites & Domains -> Web Hosting Access. For example, select / bin / bash and save the form.
I am actively using this extension on almost all Plesk installations. Remembering a lot of passwords from a variety of domains (system users) is beyond my powers :)
Create your own mechanism
If, for some reason, all of the above was not enough, then you can create your own authentication mechanism. To do this, use the Extensions SDK. In particular, the Authentication Hook API will be useful .
As an example, you can look at the sources of the LDAP Auth extension - they are open.
Thus, if you use Plesk and you are tired of authentication using passwords, then there is the opportunity to try other options. Some of them may seem very curious and like for daily use.