Is it possible to remotely cancel a scheduled shutdown when /run/nologin exists?
Clash Royale CLAN TAG#URR8PPP
up vote
5
down vote
favorite
Consider this scenario:
- User
ssh
into a system and does whatever he/she wants. Then schedules a
shutdown
using:sudo shutdown -h +1
- Finally closes the ssh session
Now /run/nologin
has been created and no one can login anymore, but something comes up and we want to ssh
back to the system before it goes down.
Is it possible to remotely cancel the scheduled shutdown when we are not permitted to login any more?
ssh shutdown
add a comment |Â
up vote
5
down vote
favorite
Consider this scenario:
- User
ssh
into a system and does whatever he/she wants. Then schedules a
shutdown
using:sudo shutdown -h +1
- Finally closes the ssh session
Now /run/nologin
has been created and no one can login anymore, but something comes up and we want to ssh
back to the system before it goes down.
Is it possible to remotely cancel the scheduled shutdown when we are not permitted to login any more?
ssh shutdown
add a comment |Â
up vote
5
down vote
favorite
up vote
5
down vote
favorite
Consider this scenario:
- User
ssh
into a system and does whatever he/she wants. Then schedules a
shutdown
using:sudo shutdown -h +1
- Finally closes the ssh session
Now /run/nologin
has been created and no one can login anymore, but something comes up and we want to ssh
back to the system before it goes down.
Is it possible to remotely cancel the scheduled shutdown when we are not permitted to login any more?
ssh shutdown
Consider this scenario:
- User
ssh
into a system and does whatever he/she wants. Then schedules a
shutdown
using:sudo shutdown -h +1
- Finally closes the ssh session
Now /run/nologin
has been created and no one can login anymore, but something comes up and we want to ssh
back to the system before it goes down.
Is it possible to remotely cancel the scheduled shutdown when we are not permitted to login any more?
ssh shutdown
ssh shutdown
edited Sep 1 at 2:44
Jeff Schaller
32.8k849110
32.8k849110
asked Aug 31 at 17:36
Ravexina
962719
962719
add a comment |Â
add a comment |Â
3 Answers
3
active
oldest
votes
up vote
9
down vote
accepted
Beside of using "root" account to make a new ssh
connection, we can actually use PAM to allow specific user or groups logging in.
PAM configurations of sshd
are located at: /etc/pam.d/sshd
which are in responsible of what you are looking for.
By editing this file and using pam_succeed_if.so
we can allow specific user or group to login even when /run/nologin
exists on machine.
pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of
other PAM items. One use is to select whether to load other modules based on this test.
So we use it to detect whatever we should load pam_nologin.so
module or not based on your username or user-group.
Open the file using your favorite text editor:
$ sudo vi /etc/pam.d/sshd
And find these lines:
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
Add this line between them:
account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
So now the lines should look like this:
# Disallow non-root logins when /etc/nologin exists.
account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
account required pam_nologin.so
Now users who are in sudo
group can login even when /run/nologin
exists.
And to allow a specific user:
account [default=2 success=ignore] pam_succeed_if.so quiet user != username
For more flexible conditions checkout:
man pam_succeed_if
add a comment |Â
up vote
3
down vote
If root
can remotely login to the system, nologin
is ignored. However, most sane admins will not permit root
to directly login remotely, in favor of an authorized user logging in and using sudo
. If the latter is not the case, however, root
can log in and abort the shutdown.
Thanks +1, I was looking for something more flexible like this :)
â Ravexina
Aug 31 at 18:03
add a comment |Â
up vote
2
down vote
The nologin
is ignored for user root. So you could use SSH to connect as root, but you probably have a distribution that doesn't allow root logins by default. You can create a SSH key and place it in ~root/.ssh/authorized_keys
, then you can login with that key as root.
Thanks +1, I was looking for something more flexible like this :)
â Ravexina
Aug 31 at 18:03
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
9
down vote
accepted
Beside of using "root" account to make a new ssh
connection, we can actually use PAM to allow specific user or groups logging in.
PAM configurations of sshd
are located at: /etc/pam.d/sshd
which are in responsible of what you are looking for.
By editing this file and using pam_succeed_if.so
we can allow specific user or group to login even when /run/nologin
exists on machine.
pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of
other PAM items. One use is to select whether to load other modules based on this test.
So we use it to detect whatever we should load pam_nologin.so
module or not based on your username or user-group.
Open the file using your favorite text editor:
$ sudo vi /etc/pam.d/sshd
And find these lines:
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
Add this line between them:
account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
So now the lines should look like this:
# Disallow non-root logins when /etc/nologin exists.
account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
account required pam_nologin.so
Now users who are in sudo
group can login even when /run/nologin
exists.
And to allow a specific user:
account [default=2 success=ignore] pam_succeed_if.so quiet user != username
For more flexible conditions checkout:
man pam_succeed_if
add a comment |Â
up vote
9
down vote
accepted
Beside of using "root" account to make a new ssh
connection, we can actually use PAM to allow specific user or groups logging in.
PAM configurations of sshd
are located at: /etc/pam.d/sshd
which are in responsible of what you are looking for.
By editing this file and using pam_succeed_if.so
we can allow specific user or group to login even when /run/nologin
exists on machine.
pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of
other PAM items. One use is to select whether to load other modules based on this test.
So we use it to detect whatever we should load pam_nologin.so
module or not based on your username or user-group.
Open the file using your favorite text editor:
$ sudo vi /etc/pam.d/sshd
And find these lines:
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
Add this line between them:
account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
So now the lines should look like this:
# Disallow non-root logins when /etc/nologin exists.
account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
account required pam_nologin.so
Now users who are in sudo
group can login even when /run/nologin
exists.
And to allow a specific user:
account [default=2 success=ignore] pam_succeed_if.so quiet user != username
For more flexible conditions checkout:
man pam_succeed_if
add a comment |Â
up vote
9
down vote
accepted
up vote
9
down vote
accepted
Beside of using "root" account to make a new ssh
connection, we can actually use PAM to allow specific user or groups logging in.
PAM configurations of sshd
are located at: /etc/pam.d/sshd
which are in responsible of what you are looking for.
By editing this file and using pam_succeed_if.so
we can allow specific user or group to login even when /run/nologin
exists on machine.
pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of
other PAM items. One use is to select whether to load other modules based on this test.
So we use it to detect whatever we should load pam_nologin.so
module or not based on your username or user-group.
Open the file using your favorite text editor:
$ sudo vi /etc/pam.d/sshd
And find these lines:
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
Add this line between them:
account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
So now the lines should look like this:
# Disallow non-root logins when /etc/nologin exists.
account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
account required pam_nologin.so
Now users who are in sudo
group can login even when /run/nologin
exists.
And to allow a specific user:
account [default=2 success=ignore] pam_succeed_if.so quiet user != username
For more flexible conditions checkout:
man pam_succeed_if
Beside of using "root" account to make a new ssh
connection, we can actually use PAM to allow specific user or groups logging in.
PAM configurations of sshd
are located at: /etc/pam.d/sshd
which are in responsible of what you are looking for.
By editing this file and using pam_succeed_if.so
we can allow specific user or group to login even when /run/nologin
exists on machine.
pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of
other PAM items. One use is to select whether to load other modules based on this test.
So we use it to detect whatever we should load pam_nologin.so
module or not based on your username or user-group.
Open the file using your favorite text editor:
$ sudo vi /etc/pam.d/sshd
And find these lines:
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
Add this line between them:
account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
So now the lines should look like this:
# Disallow non-root logins when /etc/nologin exists.
account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
account required pam_nologin.so
Now users who are in sudo
group can login even when /run/nologin
exists.
And to allow a specific user:
account [default=2 success=ignore] pam_succeed_if.so quiet user != username
For more flexible conditions checkout:
man pam_succeed_if
edited Aug 31 at 20:16
answered Aug 31 at 17:58
Ravexina
962719
962719
add a comment |Â
add a comment |Â
up vote
3
down vote
If root
can remotely login to the system, nologin
is ignored. However, most sane admins will not permit root
to directly login remotely, in favor of an authorized user logging in and using sudo
. If the latter is not the case, however, root
can log in and abort the shutdown.
Thanks +1, I was looking for something more flexible like this :)
â Ravexina
Aug 31 at 18:03
add a comment |Â
up vote
3
down vote
If root
can remotely login to the system, nologin
is ignored. However, most sane admins will not permit root
to directly login remotely, in favor of an authorized user logging in and using sudo
. If the latter is not the case, however, root
can log in and abort the shutdown.
Thanks +1, I was looking for something more flexible like this :)
â Ravexina
Aug 31 at 18:03
add a comment |Â
up vote
3
down vote
up vote
3
down vote
If root
can remotely login to the system, nologin
is ignored. However, most sane admins will not permit root
to directly login remotely, in favor of an authorized user logging in and using sudo
. If the latter is not the case, however, root
can log in and abort the shutdown.
If root
can remotely login to the system, nologin
is ignored. However, most sane admins will not permit root
to directly login remotely, in favor of an authorized user logging in and using sudo
. If the latter is not the case, however, root
can log in and abort the shutdown.
answered Aug 31 at 17:40
DopeGhoti
41.1k55080
41.1k55080
Thanks +1, I was looking for something more flexible like this :)
â Ravexina
Aug 31 at 18:03
add a comment |Â
Thanks +1, I was looking for something more flexible like this :)
â Ravexina
Aug 31 at 18:03
Thanks +1, I was looking for something more flexible like this :)
â Ravexina
Aug 31 at 18:03
Thanks +1, I was looking for something more flexible like this :)
â Ravexina
Aug 31 at 18:03
add a comment |Â
up vote
2
down vote
The nologin
is ignored for user root. So you could use SSH to connect as root, but you probably have a distribution that doesn't allow root logins by default. You can create a SSH key and place it in ~root/.ssh/authorized_keys
, then you can login with that key as root.
Thanks +1, I was looking for something more flexible like this :)
â Ravexina
Aug 31 at 18:03
add a comment |Â
up vote
2
down vote
The nologin
is ignored for user root. So you could use SSH to connect as root, but you probably have a distribution that doesn't allow root logins by default. You can create a SSH key and place it in ~root/.ssh/authorized_keys
, then you can login with that key as root.
Thanks +1, I was looking for something more flexible like this :)
â Ravexina
Aug 31 at 18:03
add a comment |Â
up vote
2
down vote
up vote
2
down vote
The nologin
is ignored for user root. So you could use SSH to connect as root, but you probably have a distribution that doesn't allow root logins by default. You can create a SSH key and place it in ~root/.ssh/authorized_keys
, then you can login with that key as root.
The nologin
is ignored for user root. So you could use SSH to connect as root, but you probably have a distribution that doesn't allow root logins by default. You can create a SSH key and place it in ~root/.ssh/authorized_keys
, then you can login with that key as root.
answered Aug 31 at 17:41
RalfFriedl
3,9601625
3,9601625
Thanks +1, I was looking for something more flexible like this :)
â Ravexina
Aug 31 at 18:03
add a comment |Â
Thanks +1, I was looking for something more flexible like this :)
â Ravexina
Aug 31 at 18:03
Thanks +1, I was looking for something more flexible like this :)
â Ravexina
Aug 31 at 18:03
Thanks +1, I was looking for something more flexible like this :)
â Ravexina
Aug 31 at 18:03
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f466083%2fis-it-possible-to-remotely-cancel-a-scheduled-shutdown-when-run-nologin-exists%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password