You can set up an authorization server to arrange technical support access to control panels. To ensure security, we recommend using a separate server for this purpose.

Server preparation consists of two stages:

  1. Configuring access to the control panel.
  2. Configuring SSH access.

This article provides the recommended installation procedure for Debian 8 Jessie OS. For other operating systems the order of installation and startup will be different. You can use your own scripts instead of ISPsystem scripts.

We recommend that you set up a firewall on the authorization server. In the firewall settings, allow incoming connections only for the support network.

Configuring access to the control panel

  1. Create goserver user to access the control panel:

    adduser --disabled-password --gecos "" goserver
    CODE
  2. Download scripts from ISPsystem repository to that user's directory. For example, you can do this with git:

    1. Install git:

      apt-get update && apt-get -y install git
      CODE

    2. Download the repository:

      git clone https://github.com/ispsystem/login-server /home/goserver/login-server
      CODE

  3. Install packets to run the scripts:

    apt-get -y install python-yaml python-paramiko gunicorn python-virtualenv gcc python-dev
    CODE

    Note

    The packages gcc and python-dev are needed to install gevent module via pip. The Debian repository version of gevent can cause problems with SSL.

  4. To ensure that the installed modules do not interfere with the OS, create a virtual environment:

    virtualenv /home/goserver/venv
    CODE

  5. Install the required packets in the created environment:

    /home/goserver/venv/bin/pip install gevent ipaddress
    CODE

  6. Generate SSL certificates for the web server:

    openssl req -newkey rsa:1024 -nodes -keyout /home/goserver/server.key -out /home/goserver/server.crt -x509 -days 3650 -subj \
"/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN=example.com/emailAddress="root@example.com
    CODE 
    chown goserver:goserver /home/goserver/server.key /home/goserver/server.crt
    CODE

  7. Create a configuration file for gunicorn:

    cat > /etc/gunicorn.d/goserver << EOF
CONFIG = {
    'working_dir': '/home/goserver/login-server',
    'user': 'goserver',
    'group': 'goserver',
    'environment': {
        'PYTHONPATH': '/home/goserver/venv/lib/python2.7/site-packages',
    },
    'args': (
        '--bind', '1.1.1.1:8443',
        '--workers', '1',
        '--timeout', '60',
        '--reload',
        '--certfile', '/home/goserver/server.crt',
        '--keyfile', '/home/goserver/server.key',
        '--do-handshake-on-connect',
        '--ssl-version', '5',
        '--ciphers', 'TLSv1.2,TLSv1',
        '-k', 'gevent',
        'goserver:myapp',
    ),
}
EOF
    CODE

    1.1.1.1 — server IP address

  8. Generate an SSH key without a passphrase:

    su -l goserver -c 'ssh-keygen -t dsa'
    CODE

  9. Provide the contents of the /home/goserver/.ssh/id_dsa.pub file to the support team.

  10. Create a configuration file for the authorization server /home/goserver/login-server/config.yml:

    Example of a configuration file

    # path to the private SSH key. If the path is standard, it does not need to be specified.
keyfile: /home/goserver/.ssh/id_dsa

# Networks access from which is permitted. Use the format: network/netmask
networks:
    - 192.168.0.0/24
# Users in the format login: password encrypted with crypt function
# Password can be encrypted as follows:
# mkpasswd -m md5 -S `pwgen -s 8 1` __PASSWORD__
users:
    user1: $1$J5hIelk6$JcTj78g3r7ddKW7ZX7j2x1
    user2: $1$gGJvd0dz$BoCItoXBq6EqdTg1m4G6D1

# Log file in which transitions will be recorded. goserver user must have write permissions to this directory or the file must be created in advance.
logfile: /var/log/goserver.log
    CODE

  11. Create a separate log file:

    touch /var/log/goserver.log
    CODE 
    chown goserver /var/log/goserver.log
    CODE

  12. Add gunicorn to the autostart and run it. If gunicorn is already running, it should be stopped beforehand:

    systemctl stop gunicorn
    CODE 
    systemctl enable gunicorn
    CODE 
    systemctl start gunicorn
    CODE

Configuring SSH access

  1. Create support user for SSH access:

    adduser --disabled-password --gecos "" support
    CODE

  2. Set go script of goserver user as the login shell for the support user:

    usermod -s /home/goserver/login-server/go support
    CODE

  3. Install sudo:

    apt-get -y install sudo
    CODE

  4. Provide the permission to run SSH for support user. Add the following line to the /etc/sudoers file:

    support ALL=(goserver) NOPASSWD: /usr/bin/ssh
    CODE

    Note

    To edit the /etc/sudoers file, we recommend using the visudo command.

  5. Configure go script:

    1. Create the file /home/goserver/login-server/config.sh:

      cat > /home/goserver/login-server/config.sh << EOF
log=/var/log/gossh.log  # path to authorizations log file. support user must have write permissions to this directory or the file must be created in advance.
logdir=/var/log/gossh  # path to the directory with stdout connection log files. support user must have write access to this directory.
#keyfile=path_to_file  # path to the private SSH key. If the path is standard, it does not need to be specified
sudouser=goserver  # user by which sudo will be launched
EOF
      CODE

    2. Create files and directories for the logs:

      touch /var/log/gossh.log
      CODE 
      chown support /var/log/gossh.log
      CODE 
      mkdir -p /var/log/gossh
      CODE 
      chown support /var/log/gossh
      CODE
  6. Configuring log files rotation:

    1. Install logrotate:

      apt-get -y install logrotate
      CODE

    2. Create the file with logrotate settings:

      cat > /etc/logrotate.d/goserver << EOF
/var/log/gossh/*.log {
        size 1M
        copytruncate
        delaycompress
        compress
}
/var/log/gossh.log {
        size 1M
        copytruncate
        delaycompress
        compress
}
/var/log/goserver.log {
        size 1M
        delaycompress
        compress
        postrotate
                systemctl reload gunicorn
        endscript 
EOF
      CODE

Using the authorization server

Configuring authorization

To connect to the control panel:

  1. Encrypt user passwords to connect to the server:

    mkpasswd -m md5 -S `pwgen -s 8 1` <pass>
    CODE

    <pass>unencrypted password

  2. Add user names and encrypted passwords to the users section of the file /home/goserver/login-server/config.yml:

    Example of configuration

    users:
    user1: $1$J5hIelk6$JcTj78g3r7ddKW7ZX7j2x1
    user2: $1$gGJvd0dz$BoCItoXBq6EqdTg1m4G6D1
    CODE

  3. Update your web server settings:

    systemctl reload gunicorn
    CODE

To connect via SSH, add the public part of the SSH key of the support representative to the file /home/support/.ssh/authorized_keys.

Example of commands

Connect via SSH

ssh -t support@1.1.1.1 go 2.2.2.2
CODE

1.1.1.1 — authorization server IP address

2.2.2.2 — control panel server IP address

Connect via SSH and run the command

ssh -t support@1.1.1.1 go 2.2.2.2 ps uxaw
CODE

1.1.1.1 — authorization server IP address

2.2.2.2 — control panel server IP address

ps uxaw — executable command

Copy the files to the server

rsync -aPv /tmp/srv/ -e "ssh -t support@1.1.1.1 go" 2.2.2.2:/tmp/
CODE

1.1.1.1 — authorization server IP address

2.2.2.2 — control panel server IP address

/tmp/srv/ — directory with the files to be copied

/tmp/ — directory on the server, where you need to write the files