Logging people into Plesk without them seeing/knowing the password

[HostaHost]

Cross posted from psa9:

Just curious if anyone's come up with a way to log staff into Plesk without them knowing the admin password? I was thinking something in php/curl would be ideal but I haven't had success with that because I have no way of getting the PHPSESSID from the destination server onto the user's computer with the correct cookie domain, and I think Plesk must be IP-specific for it's sessions because if I do the login in php/curl and obtain the resulting PHPSESSID, then redirect the client's browser to the login page with the PHPSESSID as a POST variable or url variable, that just gives them the login screen again.

I'm assuming the psa database's sessions table relies on an underlying php session so I haven't tried just remotely inserting a record in that table with my own generated session id and the user's ip, etc.

 

[lhwparis]

why do you wanna do that?
I think its not possible with curl because of the problems you described. plesk session check the IP adress so its not possible to create a session with curl end send the cookie to the user if this user uses another IP as your PHP server.

You can do something with javascript but then it will be easy for this people to find out the password.

habe you checked plesk singlesignon service?
http://kb.odin.com/en/5978

 

[HostaHost]

why do you wanna do that?

So support staff can gain access to customer control panels without needing to have knowledge of the admin password and so we can track who logs into the servers and when since once you're logged in you can clear the activity log.

SSO won't work for us for a few reasons.

I wonder if a flash-based page would work to protect the password from being visible as a 'view source'.

 

[lhwparis]

cant you create a reseller and link all your customers to it? so support team can use this reseller account instead of the admin account?

flash will not work you have to sent a HTTP Post Request with loginname + password to get the session and this HTTP Post request can be captured everytime when its done by the browser.

what do you think about a simple login script which sends HTTP Post request and get the session, its possible to capture the passwordfrom that post request but you can use a second script changing your plesk admin password ever 15min for example. the login script and the script changing the password have to be linked so the login script knows the password everytime. now its no problem that users can capture the password because it only works for the next 15minutes only your login scripts knows the password which is generated for the next 15mins

 

[HostaHost]

Oh, by customers I mean customers who each have their own server and copy of Plesk running on it, and admin access, so we can't change their passwords regularly without affecting the customer, but we also don't want the front-line support staff having the Plesk admin passwords of the servers.

Co-worker found this: http://kb.odin.com/en/1631

That would let me post for them via curl and then log them in using the session ID even in light of the IP change, so that might be the solution.