Sunday, February 13, 2011

remote server shutdown.

In 2009 I wrote about passwordless shutdown of a ubuntu. At that time my object was remote shutdown and boot up of the server ie from an iphone or zaurus running an ultra-lite web server.

The resulting system would send the magic packet to wakeup the main server, zip the days data, scp the data to the main server and then ssh to the shutdown down user(causing the machine to halt). Now that I have an old iphone 3g I was seriously considering porting my ultra light server to it.

Anyway some how I got off track...again... My ubuntu server didnt cleanly upgrade to 10.10 so am I rebuilding it from scratch. Here is how to setup the auto shutdown user:

First add the shutdown user:
sudo adduser --home /home/shutdown shutdown

Or add the existing user to the shutdown group. (or combo of both)
sudo usermod -a -G shutdown username

Grant him ssh rights with:
sudo vi /etc/ssh/sshd_config

Add the line:
AllowUsers shutdown

And setup his ssh key:
sudo su -l shutdown
chmod 700 .ssh/
touch .ssh/authorized_keys 
chmod 600 .ssh/authorized_keys 
vi .ssh/authorized_keys 

And add the line(with your ssh key and note the forced command "/sbin/halt"):
command="/sbin/halt",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa .... ==

Now by default halt cant be run without sudoing so to fix that edit the sudoers file
sudo visudo
UPDATE: You can can now add an extension file to the sudoers.d directory and not have to modifiy /etc/sudoers directly this way it doesnt break on every system upgrade..
sudo vi /etc/sudoers.d/passwordless_shutdown

Add the lines to grant rights to shutdown(and no one else) for the halt command
%shutdown ALL=NOPASSWD: /sbin/shutdown
%shutdown ALL=NOPASSWD: /sbin/halt

Then halt can be run as (an no password will be required)
sudo halt

If this still isnt sufficient (and it isnt for some scripting applications) The "sudo" part of the command can be removed by chmoding the command halt so that its runnable outside of a root user.
sudo chmod +s /sbin/reboot

Of course this basically allows any user on the system shutdown rights. so be careful with the chmod way.

1 comment:

  1. In /etc/sudoers, %shutdown shall be shutdown

    %name means a group