Script to shutdown remote system?

walterbyrd

Active Member

Reaction score: 27
Messages: 120

Ultimately, I want to shutdown a freebsd box from my android (there are lots of android apps to run scripts).

I do not want to be prompted for a password.

One step at a time, first I just want to shut down the remote from another freebsd box.

The following did not work:

Code:
#!/bin/sh

ssh -t walter@192.168.1.2 "echo PASSWORD | sudo shutdown -p now"

I am prompted for a password twice.

Taking a step back, I tried to just ssh into the remote:

Code:
#!/bin/sh

echo PASSWORD | ssh walter@192.168.1.2

I get the error message:
> Pseudo-terminal will not be allocated because stdin is not a terminal.

I tried another script, which supposedly worked for bash

Code:
#!/bin/sh
spawn ssh walter@192.168.1.2
expect "password:"
sleep 1
send "PASSWORD:"

Get the following errors:
> ./t.sh: spawn: not found
> ./t.sh: expect: not found
> ./t.sh: send: not found

BTW: while developing a script, I often use one letter filenames. I change the names once I get the script to work.

I am out of ideas.

Maybe I should try another language? Like python or perl? I am not sure how that would work from an android.

Any thoughts appreciated. Thanks in advance.
 

tobik@

Daemon
Developer

Reaction score: 1,423
Messages: 1,909

Murph

Well-Known Member

Reaction score: 183
Messages: 297

A trick from the good old days, which could be adapted to the modern SSH era. It was not unusual to create a user named shutdown, with root UID & GID, but /sbin/shutdown as its shell. I.e. something like the following:
Code:
shutdown::0:0::0:0:Shutdown:/shutdown:/sbin/shutdown
You can use this rough technique to engineer a solution where the SSH keys can't be used for anything other than shutting the system down.

The historical use of this was to have a console-only user which could shut the system down either without a password, or with a password that didn't really give other privileged access to the system. The facility could be given to workstation users (in the case of people not allowed root on their own workstations), or junior systems/operations staff who would not normally be given widespread root access. It's not just from a pre-ssh era, it's also from a pre-sudo era.

Whatever you do, don't go with passwords embedded in scripts, for anything! It's just horrible and pretty much an accident waiting to happen. Use keys, they are not hard to use.
 
OP
W

walterbyrd

Active Member

Reaction score: 27
Messages: 120

A trick from the good old days, which could be adapted to the modern SSH era. It was not unusual to create a user named shutdown, with root UID & GID, but /sbin/shutdown as its shell. I.e. something like the following: Use keys, they are not hard to use.

I like the idea, but it did not seem to work. The "shutdown" user was logged in with sh shell.

Maybe I could put a shutdown startup script in .profile or something?
 

tobik@

Daemon
Developer

Reaction score: 1,423
Messages: 1,909

You can use this rough technique to engineer a solution where the SSH keys can't be used for anything other than shutting the system down.
We can go further with SSH. SSH can be configured to autorun a specific command whenever you login with a specific key. It's also useful to restrict port forwarding etc. (see sshd(8) for what restrict does here) e.g. in /home/walter/.ssh/authorized_keys:
Code:
command="sudo shutdown -p now",restrict <your ssh public key here>
whenever you run ssh -T -i ~/path/to/private/key walter@192.168.1.2 it'll run sudo shutdown -p now automatically (and only allow that command).
 
OP
W

walterbyrd

Active Member

Reaction score: 27
Messages: 120

Okay, I got something that works.

Create a "shutdown" user, like any other user. I use a one letter user name.
Add that user to the operator group.
Comment out everything in the user's .profile file.
Put the following in the .profile file:
shutdown -p "now"

On my Android device I use an app called "connectbot"
I use one letter for the user name, and a very simple password.
I think a simple password is safe because all you can do is shutdown the system.

I click the connectbot icon
Choose x@192.168.1.2 (once you enter it, it will stay there for you to choose next time).
Enter the very simple password
The system shuts down.

I tried creating a user account that did not require any password, but I kept getting a PAM authentication error.

I prefer not having any password, and connectbot can generate an ssh key. But the password is very simple, so this is good enough. It's just a home system.

BTW-1: I do this so I can watch movies from my plex server, which I have in my basement, while I am in bed. Then shut down the plex server so it won't be running all night.

BTW-2: the IP addresses, and login names, etc. that I have been using are not what I actually use.
 

tobik@

Daemon
Developer

Reaction score: 1,423
Messages: 1,909

I think a simple password is safe because all you can do is shutdown the system.
That's not true, once someone has your password they can effectively do everything that the shutdown user can do. If you give a command to run to ssh it'll never run your login shell i.e. what's in .profile will never get executed. But since this is at home, whatever :)
 

phoenix

Administrator
Staff member
Administrator
Moderator

Reaction score: 1,290
Messages: 4,099

Just add your remote user to the operator group, and they'll be able to run shutdown without needing sudo, su, or root.
 
Top