/usr/bin/sudo /sbin/shutdown as shell does not work using ssh [Archive]

View Full Version : /usr/bin/sudo /sbin/shutdown as shell does not work using ssh

reino

1st October 2010, 11:48 PM

Hi all,

I try to shutdown a box running Fedora (fc12, all updates applied) remotely. From various threats I selected the following way that suits best to my needs:

I edited the entry for shutdown in /etc/passwd:
shutdown:x:6:0:shutdown:/sbin:/usr/bin/sudo /sbin/shutdown -h +1

Logging in from a tty with shutdown gives the desired result: The computer does the shutdown.

Then I tried the same using sshd and plink:
plink -t -l shutdown -pw xxx 10.0.0.123

As a result I get:
Using username "shutdown".
Access denied
Access denied
shutdown@10.0.0.123's password:

The /var/log/secure shows the following entry:
Oct 2 00:40:46 rotgschirr sshd[6841]: User shutdown not allowed because shell /usr/bin/sudo /sbin/shutdown -h +1 does not exist
Oct 2 00:40:46 rotgschirr sshd[6846]: input_userauth_request: invalid user shutdown
Oct 2 00:40:46 rotgschirr unix_chkpwd[6847]: password check failed for user (shutdown)
Oct 2 00:40:46 rotgschirr sshd[6841]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rotgschirr.totes-gebirge user=shutdown
Oct 2 00:40:48 rotgschirr sshd[6841]: Failed password for invalid user shutdown from 10.0.0.123 port 37195 ssh2
Oct 2 00:40:50 rotgschirr sshd[6846]: Connection closed by 10.0.0.123

Somehow when using ssh the shell /usr/bin/sudo /sbin/shutdown -h +1 cannot be found. Does anyone know how I could overcome this problem?

Any help appreciated,
thank you and best regards,
Reinhard

jpollard

2nd October 2010, 12:22 AM

You can't do it that way over ssh .

The problem is that when sshd terminates, it also terminates the shutdown, leaving
the system in a partially dead state.

Instead of using /sbin/shutdown, use "telinit 0".

This directs init to halt the system (without delay). The init process is then handling
the shutdown and not the terminal session that will very quickly get terminated.
This is a gracefull shutdown.

If you wanted to reboot the system, use "telinit 6", but note - the only way to control
which system is booted is via the grub default, or someone at the console.

reino

2nd October 2010, 11:50 PM

Thanks for the help.

Unfortunately I get quite the same result.

I changed the entry in /etc/passwd and the necessary entry in /etc/sudoers:
shutdown:x:6:0:shutdown:/sbin:/usr/bin/sudo /sbin/telinit 0

From a tty all works fine. The computer shuts down.

Via sshd with plink, same command as below, I get:
Using username "shutdown".
Access denied

The /var/log/secure shows the following entry:
Oct 3 00:38:13 rotgschirr sshd[2249]: User shutdown not allowed because shell /usr/bin/sudo /sbin/telinit 0 does not exist
Oct 3 00:38:13 rotgschirr sshd[2250]: input_userauth_request: invalid user shutdown
Oct 3 00:38:13 rotgschirr unix_chkpwd[2251]: password check failed for user (shutdown)
Oct 3 00:38:13 rotgschirr sshd[2249]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.123 user=shutdown
Oct 3 00:38:15 rotgschirr sshd[2249]: Failed password for invalid user shutdown from 10.0.0.123 port 49341 ssh2
Oct 3 00:38:15 rotgschirr sshd[2250]: Received disconnect from 10.0.0.123: 13: Unable to authenticate

Any idea, whatś going wrong here?

Thanks,
Reinhard

jpollard

3rd October 2010, 12:46 AM

Ahhh.. no.

You don't want to do it that way. I believe you got the authentication failure because
the last field of the passwd file cannot have multiple tokens. It is supposed to be
the program to use for the shell of the user. The error message suggests this
but because of missing quotes (I think should be there), the message:

User shutdown not allowed because shell /usr/bin/sudo /sbin/telinit 0 does not exist

should actually be:

User shutdown not allowed because shell '/usr/bin/sudo /sbin/telinit 0' does not exist

Setup your shutdown user normally (give it a real shell, like bash).

To shut the system down do "ssh remotehost sudo telinit 0".

If a second password is required, you should get prompted. IF that fails try
"ssh -t remotehost sudo telinit 0". This forces a terminal on the remote side.

If this works, you can create an executable (I think a script will work) that
can then be used for the shell. The script would only have two lines - something
like:

#/bin/bash
/usr/bin/sudo /sbin/telinit 0

But allowing a full login will allow you to choose other options for telinit, allowing
you to reboot, switch to run level 3, or halt the system. A bit more flexible.

reino

3rd October 2010, 09:02 PM

Hello!

Finally I put the telinit command in the logon script for user shutdown. This works fine for me and I hope there is no disadvantage in this way.

The script as command shell did not run. I got similar eror messages again.

Thank you for all help!

All the best,
Reinhard

jpollard

3rd October 2010, 09:39 PM

The failure as a command shell will be due to a requirement that valid shells for
users have to be listed in the /etc/shells file. By default, this only includes /bin/sh,
/bin/bash, /sbin/nologin (to disable login), /bin/tcsh, /bin/csh, and /bin/zsh.

You would have to include your shell here.

Using the logon script is fine.