Howto Allow Univention Support to Access Your System

Howto

Allow Univention Support to access your system.

Option 1 - ssh

How to use the Univention “ssh tunnel” to allow support access your local system.

Step 1

Logon to the text console as user “root” (not Administrator!).

  • When accessing remotely through network use the ssh protocol from
    • Windows
      • PuTTY to connect to your server
      • ssh <IP.OF.YOUR.SERVER> command from the command prompt
    • Linux: ssh <IP.OF.YOUR.SERVER>

Step 2 (optional)

Store the support key on your server so Univention Support can access the tunnel (once established by you) and the server through encrypted connection without password.

root@ucs:~# echo -en "\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyq10TRAG7OZarKQmXeyo2ONAOutIAXZzTcLCBycRXr4pZ5ElBZMeYF5gFSYqL+k435eY/fOBdcvdZ8tyyxTucRalUhkS9LeKXow9km950i9UDCEz8O2DgabZxiMmT/BDWWS+WO0tD24cWvyFl5YcuLEfJ5mw9jClQlQIiCArfIPFphMY+YKHTCRNkYNTt4KhY/KR9ATpWV7Bc3qzaMYUkcdhRg8cFHm5Vfj9gqncUrrdnq4j7MB+DZK7aUz8lFODqDtI63Qvy//Ve1NF+6ACsRMlldH85GDUg7QmMmS6b2PcKVRYn4lH7CwnwJizb3SJPYZx/XYmsgd/w6i2fpe5J root@kundenlogin" >>/root/.ssh/authorized_keys

Step 3

Type the command send to you by support exactly as it is written, ports will be different:
screen ssh -R44654:localhost:22 -N <CUSTOMER>@tunnel.univention.de

Step 4 (when connecting the first time)

Type in “yes” when requested:

The authenticity of host 'tunnel.univention.de (176.9.129.45)' can't be established.
RSA key fingerprint is SHA256:ed3+v/pmMdNd7nCvwX9WCTzHoXhhOsOvBgfJQHkovC4.
Are you sure you want to continue connecting (yes/no)? yes

Step 5

Type in the password when requested. Note: You will not see what you type and you will not get any output. After pressing “Enter” the tunnel should be established without further notice.

Warning: Permanently added 'tunnel.univention.de,176.9.129.45' (RSA) to the list of known hosts.
Debian GNU/Linux 10
excelsior@tunnel.univention.de's password: 
 

Step 6

When not using the authorized key you have to tell (Email, Phone) Univention support the “root” password in order to be able to access your server.
Note: In case you do not want to expose the root password, you can change it for Univention support and switch back once the remote session is done. Use the command passwdfor this:

root@praxis:~# passwd
Geben Sie ein neues Passwort ein: 
Schlechtes Passwort: Es ist VIEL zu kurz
Schlechtes Passwort: ist ein Palindrome
Geben Sie das neue Passwort erneut ein: 
passwd: Passwort erfolgreich geändert

Note: Notice the last line. It will write “changed successfully” despite of the warnings before.
Remeber to reset the passwort to your default after the session with the passwdcommand as above.

Step 7 (Optional)

If you have more than one UCS server and you want the Univention support team to analysis/repair problems in your domain access to more than the one server you opened the ssh tunnel on is necessary, the Univention support team needs the root password or you create a ssh key without password and add the public key to all other servers access is needed. (In doubt all) Please follow the steps in this article.

Option 2 - Teamviewer

How to use Teamviewer to allow support access your local system.

Step 1

Download or install Teamviewer for your local operating system. Note: You should NOT install Teamviewer on your UCS server.

Step 2

Open the Teamviewer application. For further details please check Teamviewer Knowledge Base

Step 3

Tell support your Teamviewer ID and the password.

Mastodon