Is it possible to remotely cancel a scheduled shutdown when /run/nologin exists?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
5
down vote

favorite
2












Consider this scenario:



  1. User ssh into a system and does whatever he/she wants.


  2. Then schedules a shutdown using:



    sudo shutdown -h +1


  3. Finally closes the ssh session

Now /run/nologin has been created and no one can login anymore, but something comes up and we want to ssh back to the system before it goes down.



Is it possible to remotely cancel the scheduled shutdown when we are not permitted to login any more?










share|improve this question



























    up vote
    5
    down vote

    favorite
    2












    Consider this scenario:



    1. User ssh into a system and does whatever he/she wants.


    2. Then schedules a shutdown using:



      sudo shutdown -h +1


    3. Finally closes the ssh session

    Now /run/nologin has been created and no one can login anymore, but something comes up and we want to ssh back to the system before it goes down.



    Is it possible to remotely cancel the scheduled shutdown when we are not permitted to login any more?










    share|improve this question

























      up vote
      5
      down vote

      favorite
      2









      up vote
      5
      down vote

      favorite
      2






      2





      Consider this scenario:



      1. User ssh into a system and does whatever he/she wants.


      2. Then schedules a shutdown using:



        sudo shutdown -h +1


      3. Finally closes the ssh session

      Now /run/nologin has been created and no one can login anymore, but something comes up and we want to ssh back to the system before it goes down.



      Is it possible to remotely cancel the scheduled shutdown when we are not permitted to login any more?










      share|improve this question















      Consider this scenario:



      1. User ssh into a system and does whatever he/she wants.


      2. Then schedules a shutdown using:



        sudo shutdown -h +1


      3. Finally closes the ssh session

      Now /run/nologin has been created and no one can login anymore, but something comes up and we want to ssh back to the system before it goes down.



      Is it possible to remotely cancel the scheduled shutdown when we are not permitted to login any more?







      ssh shutdown






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Sep 1 at 2:44









      Jeff Schaller

      32.8k849110




      32.8k849110










      asked Aug 31 at 17:36









      Ravexina

      962719




      962719




















          3 Answers
          3






          active

          oldest

          votes

















          up vote
          9
          down vote



          accepted










          Beside of using "root" account to make a new ssh connection, we can actually use PAM to allow specific user or groups logging in.



          PAM configurations of sshd are located at: /etc/pam.d/sshd which are in responsible of what you are looking for.



          By editing this file and using pam_succeed_if.so we can allow specific user or group to login even when /run/nologin exists on machine.




          pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of
          other PAM items. One use is to select whether to load other modules based on this test.




          So we use it to detect whatever we should load pam_nologin.so module or not based on your username or user-group.



          Open the file using your favorite text editor:



          $ sudo vi /etc/pam.d/sshd


          And find these lines:



          # Disallow non-root logins when /etc/nologin exists.
          account required pam_nologin.so


          Add this line between them:



          account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo


          So now the lines should look like this:



          # Disallow non-root logins when /etc/nologin exists.
          account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
          account required pam_nologin.so


          Now users who are in sudo group can login even when /run/nologin exists.



          And to allow a specific user:



          account [default=2 success=ignore] pam_succeed_if.so quiet user != username


          For more flexible conditions checkout:



          man pam_succeed_if





          share|improve this answer





























            up vote
            3
            down vote













            If root can remotely login to the system, nologin is ignored. However, most sane admins will not permit root to directly login remotely, in favor of an authorized user logging in and using sudo. If the latter is not the case, however, root can log in and abort the shutdown.






            share|improve this answer




















            • Thanks +1, I was looking for something more flexible like this :)
              – Ravexina
              Aug 31 at 18:03

















            up vote
            2
            down vote













            The nologin is ignored for user root. So you could use SSH to connect as root, but you probably have a distribution that doesn't allow root logins by default. You can create a SSH key and place it in ~root/.ssh/authorized_keys, then you can login with that key as root.






            share|improve this answer




















            • Thanks +1, I was looking for something more flexible like this :)
              – Ravexina
              Aug 31 at 18:03










            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f466083%2fis-it-possible-to-remotely-cancel-a-scheduled-shutdown-when-run-nologin-exists%23new-answer', 'question_page');

            );

            Post as a guest






























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            9
            down vote



            accepted










            Beside of using "root" account to make a new ssh connection, we can actually use PAM to allow specific user or groups logging in.



            PAM configurations of sshd are located at: /etc/pam.d/sshd which are in responsible of what you are looking for.



            By editing this file and using pam_succeed_if.so we can allow specific user or group to login even when /run/nologin exists on machine.




            pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of
            other PAM items. One use is to select whether to load other modules based on this test.




            So we use it to detect whatever we should load pam_nologin.so module or not based on your username or user-group.



            Open the file using your favorite text editor:



            $ sudo vi /etc/pam.d/sshd


            And find these lines:



            # Disallow non-root logins when /etc/nologin exists.
            account required pam_nologin.so


            Add this line between them:



            account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo


            So now the lines should look like this:



            # Disallow non-root logins when /etc/nologin exists.
            account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
            account required pam_nologin.so


            Now users who are in sudo group can login even when /run/nologin exists.



            And to allow a specific user:



            account [default=2 success=ignore] pam_succeed_if.so quiet user != username


            For more flexible conditions checkout:



            man pam_succeed_if





            share|improve this answer


























              up vote
              9
              down vote



              accepted










              Beside of using "root" account to make a new ssh connection, we can actually use PAM to allow specific user or groups logging in.



              PAM configurations of sshd are located at: /etc/pam.d/sshd which are in responsible of what you are looking for.



              By editing this file and using pam_succeed_if.so we can allow specific user or group to login even when /run/nologin exists on machine.




              pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of
              other PAM items. One use is to select whether to load other modules based on this test.




              So we use it to detect whatever we should load pam_nologin.so module or not based on your username or user-group.



              Open the file using your favorite text editor:



              $ sudo vi /etc/pam.d/sshd


              And find these lines:



              # Disallow non-root logins when /etc/nologin exists.
              account required pam_nologin.so


              Add this line between them:



              account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo


              So now the lines should look like this:



              # Disallow non-root logins when /etc/nologin exists.
              account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
              account required pam_nologin.so


              Now users who are in sudo group can login even when /run/nologin exists.



              And to allow a specific user:



              account [default=2 success=ignore] pam_succeed_if.so quiet user != username


              For more flexible conditions checkout:



              man pam_succeed_if





              share|improve this answer
























                up vote
                9
                down vote



                accepted







                up vote
                9
                down vote



                accepted






                Beside of using "root" account to make a new ssh connection, we can actually use PAM to allow specific user or groups logging in.



                PAM configurations of sshd are located at: /etc/pam.d/sshd which are in responsible of what you are looking for.



                By editing this file and using pam_succeed_if.so we can allow specific user or group to login even when /run/nologin exists on machine.




                pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of
                other PAM items. One use is to select whether to load other modules based on this test.




                So we use it to detect whatever we should load pam_nologin.so module or not based on your username or user-group.



                Open the file using your favorite text editor:



                $ sudo vi /etc/pam.d/sshd


                And find these lines:



                # Disallow non-root logins when /etc/nologin exists.
                account required pam_nologin.so


                Add this line between them:



                account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo


                So now the lines should look like this:



                # Disallow non-root logins when /etc/nologin exists.
                account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
                account required pam_nologin.so


                Now users who are in sudo group can login even when /run/nologin exists.



                And to allow a specific user:



                account [default=2 success=ignore] pam_succeed_if.so quiet user != username


                For more flexible conditions checkout:



                man pam_succeed_if





                share|improve this answer














                Beside of using "root" account to make a new ssh connection, we can actually use PAM to allow specific user or groups logging in.



                PAM configurations of sshd are located at: /etc/pam.d/sshd which are in responsible of what you are looking for.



                By editing this file and using pam_succeed_if.so we can allow specific user or group to login even when /run/nologin exists on machine.




                pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of
                other PAM items. One use is to select whether to load other modules based on this test.




                So we use it to detect whatever we should load pam_nologin.so module or not based on your username or user-group.



                Open the file using your favorite text editor:



                $ sudo vi /etc/pam.d/sshd


                And find these lines:



                # Disallow non-root logins when /etc/nologin exists.
                account required pam_nologin.so


                Add this line between them:



                account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo


                So now the lines should look like this:



                # Disallow non-root logins when /etc/nologin exists.
                account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
                account required pam_nologin.so


                Now users who are in sudo group can login even when /run/nologin exists.



                And to allow a specific user:



                account [default=2 success=ignore] pam_succeed_if.so quiet user != username


                For more flexible conditions checkout:



                man pam_succeed_if






                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Aug 31 at 20:16

























                answered Aug 31 at 17:58









                Ravexina

                962719




                962719






















                    up vote
                    3
                    down vote













                    If root can remotely login to the system, nologin is ignored. However, most sane admins will not permit root to directly login remotely, in favor of an authorized user logging in and using sudo. If the latter is not the case, however, root can log in and abort the shutdown.






                    share|improve this answer




















                    • Thanks +1, I was looking for something more flexible like this :)
                      – Ravexina
                      Aug 31 at 18:03














                    up vote
                    3
                    down vote













                    If root can remotely login to the system, nologin is ignored. However, most sane admins will not permit root to directly login remotely, in favor of an authorized user logging in and using sudo. If the latter is not the case, however, root can log in and abort the shutdown.






                    share|improve this answer




















                    • Thanks +1, I was looking for something more flexible like this :)
                      – Ravexina
                      Aug 31 at 18:03












                    up vote
                    3
                    down vote










                    up vote
                    3
                    down vote









                    If root can remotely login to the system, nologin is ignored. However, most sane admins will not permit root to directly login remotely, in favor of an authorized user logging in and using sudo. If the latter is not the case, however, root can log in and abort the shutdown.






                    share|improve this answer












                    If root can remotely login to the system, nologin is ignored. However, most sane admins will not permit root to directly login remotely, in favor of an authorized user logging in and using sudo. If the latter is not the case, however, root can log in and abort the shutdown.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Aug 31 at 17:40









                    DopeGhoti

                    41.1k55080




                    41.1k55080











                    • Thanks +1, I was looking for something more flexible like this :)
                      – Ravexina
                      Aug 31 at 18:03
















                    • Thanks +1, I was looking for something more flexible like this :)
                      – Ravexina
                      Aug 31 at 18:03















                    Thanks +1, I was looking for something more flexible like this :)
                    – Ravexina
                    Aug 31 at 18:03




                    Thanks +1, I was looking for something more flexible like this :)
                    – Ravexina
                    Aug 31 at 18:03










                    up vote
                    2
                    down vote













                    The nologin is ignored for user root. So you could use SSH to connect as root, but you probably have a distribution that doesn't allow root logins by default. You can create a SSH key and place it in ~root/.ssh/authorized_keys, then you can login with that key as root.






                    share|improve this answer




















                    • Thanks +1, I was looking for something more flexible like this :)
                      – Ravexina
                      Aug 31 at 18:03














                    up vote
                    2
                    down vote













                    The nologin is ignored for user root. So you could use SSH to connect as root, but you probably have a distribution that doesn't allow root logins by default. You can create a SSH key and place it in ~root/.ssh/authorized_keys, then you can login with that key as root.






                    share|improve this answer




















                    • Thanks +1, I was looking for something more flexible like this :)
                      – Ravexina
                      Aug 31 at 18:03












                    up vote
                    2
                    down vote










                    up vote
                    2
                    down vote









                    The nologin is ignored for user root. So you could use SSH to connect as root, but you probably have a distribution that doesn't allow root logins by default. You can create a SSH key and place it in ~root/.ssh/authorized_keys, then you can login with that key as root.






                    share|improve this answer












                    The nologin is ignored for user root. So you could use SSH to connect as root, but you probably have a distribution that doesn't allow root logins by default. You can create a SSH key and place it in ~root/.ssh/authorized_keys, then you can login with that key as root.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Aug 31 at 17:41









                    RalfFriedl

                    3,9601625




                    3,9601625











                    • Thanks +1, I was looking for something more flexible like this :)
                      – Ravexina
                      Aug 31 at 18:03
















                    • Thanks +1, I was looking for something more flexible like this :)
                      – Ravexina
                      Aug 31 at 18:03















                    Thanks +1, I was looking for something more flexible like this :)
                    – Ravexina
                    Aug 31 at 18:03




                    Thanks +1, I was looking for something more flexible like this :)
                    – Ravexina
                    Aug 31 at 18:03

















                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f466083%2fis-it-possible-to-remotely-cancel-a-scheduled-shutdown-when-run-nologin-exists%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?