Is it possible to remotely cancel a scheduled shutdown when /run/nologin exists?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
5
down vote

favorite
2












Consider this scenario:



  1. User ssh into a system and does whatever he/she wants.


  2. Then schedules a shutdown using: 



    sudo shutdown -h +1


  3. Finally closes the ssh session

Now /run/nologin has been created and no one can login anymore, but something comes up and we want to ssh back to the system before it goes down.



Is it possible to remotely cancel the scheduled shutdown when we are not permitted to login any more?






ssh shutdown







share|improve this question



























    up vote
    5
    down vote

    favorite
    2












    Consider this scenario:



    1. User ssh into a system and does whatever he/she wants.


    2. Then schedules a shutdown using: 



      sudo shutdown -h +1


    3. Finally closes the ssh session

    Now /run/nologin has been created and no one can login anymore, but something comes up and we want to ssh back to the system before it goes down.



    Is it possible to remotely cancel the scheduled shutdown when we are not permitted to login any more?






    ssh shutdown







    share|improve this question

























      up vote
      5
      down vote

      favorite
      2









      up vote
      5
      down vote

      favorite
      2






      2





      Consider this scenario:



      1. User ssh into a system and does whatever he/she wants.


      2. Then schedules a shutdown using: 



        sudo shutdown -h +1


      3. Finally closes the ssh session

      Now /run/nologin has been created and no one can login anymore, but something comes up and we want to ssh back to the system before it goes down.



      Is it possible to remotely cancel the scheduled shutdown when we are not permitted to login any more?






      ssh shutdown







      share|improve this question















      Consider this scenario:



      1. User ssh into a system and does whatever he/she wants.


      2. Then schedules a shutdown using: 



        sudo shutdown -h +1


      3. Finally closes the ssh session

      Now /run/nologin has been created and no one can login anymore, but something comes up and we want to ssh back to the system before it goes down.



      Is it possible to remotely cancel the scheduled shutdown when we are not permitted to login any more?






      ssh shutdown




      ssh shutdown






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Sep 1 at 2:44









      Jeff Schaller

      32.8k849110




      32.8k849110










      asked Aug 31 at 17:36









      Ravexina

      962719




      962719




















          3 Answers
          3






          active

          oldest

          votes

















          up vote
          9
          down vote



          accepted










          Beside of using "root" account to make a new ssh connection, we can actually use PAM to allow specific user or groups logging in.



          PAM configurations of sshd are located at: /etc/pam.d/sshd which are in responsible of what you are looking for.



          By editing this file and using pam_succeed_if.so we can allow specific user or group to login even when /run/nologin exists on machine.




          pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of
          other PAM items. One use is to select whether to load other modules based on this test.




          So we use it to detect whatever we should load pam_nologin.so module or not based on your username or user-group.



          Open the file using your favorite text editor:



          $ sudo vi /etc/pam.d/sshd


          And find these lines:



          # Disallow non-root logins when /etc/nologin exists.
          account required pam_nologin.so


          Add this line between them:



          account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo


          So now the lines should look like this:



          # Disallow non-root logins when /etc/nologin exists.
          account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
          account required pam_nologin.so


          Now users who are in sudo group can login even when /run/nologin exists.



          And to allow a specific user:



          account [default=2 success=ignore] pam_succeed_if.so quiet user != username


          For more flexible conditions checkout:



          man pam_succeed_if





          share|improve this answer





























            up vote
            3
            down vote













            If root can remotely login to the system, nologin is ignored. However, most sane admins will not permit root to directly login remotely, in favor of an authorized user logging in and using sudo. If the latter is not the case, however, root can log in and abort the shutdown.






            share|improve this answer




















            • Thanks +1, I was looking for something more flexible like this :)
              – Ravexina
              Aug 31 at 18:03

















            up vote
            2
            down vote













            The nologin is ignored for user root. So you could use SSH to connect as root, but you probably have a distribution that doesn't allow root logins by default. You can create a SSH key and place it in ~root/.ssh/authorized_keys, then you can login with that key as root.






            share|improve this answer




















            • Thanks +1, I was looking for something more flexible like this :)
              – Ravexina
              Aug 31 at 18:03










            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f466083%2fis-it-possible-to-remotely-cancel-a-scheduled-shutdown-when-run-nologin-exists%23new-answer', 'question_page');

            );

            Post as a guest

















            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            9
            down vote



            accepted










            Beside of using "root" account to make a new ssh connection, we can actually use PAM to allow specific user or groups logging in.



            PAM configurations of sshd are located at: /etc/pam.d/sshd which are in responsible of what you are looking for.



            By editing this file and using pam_succeed_if.so we can allow specific user or group to login even when /run/nologin exists on machine.




            pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of
            other PAM items. One use is to select whether to load other modules based on this test.




            So we use it to detect whatever we should load pam_nologin.so module or not based on your username or user-group.



            Open the file using your favorite text editor:



            $ sudo vi /etc/pam.d/sshd


            And find these lines:



            # Disallow non-root logins when /etc/nologin exists.
            account required pam_nologin.so


            Add this line between them:



            account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo


            So now the lines should look like this:



            # Disallow non-root logins when /etc/nologin exists.
            account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
            account required pam_nologin.so


            Now users who are in sudo group can login even when /run/nologin exists.



            And to allow a specific user:



            account [default=2 success=ignore] pam_succeed_if.so quiet user != username


            For more flexible conditions checkout:



            man pam_succeed_if





            share|improve this answer


























              up vote
              9
              down vote



              accepted










              Beside of using "root" account to make a new ssh connection, we can actually use PAM to allow specific user or groups logging in.



              PAM configurations of sshd are located at: /etc/pam.d/sshd which are in responsible of what you are looking for.



              By editing this file and using pam_succeed_if.so we can allow specific user or group to login even when /run/nologin exists on machine.




              pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of
              other PAM items. One use is to select whether to load other modules based on this test.




              So we use it to detect whatever we should load pam_nologin.so module or not based on your username or user-group.



              Open the file using your favorite text editor:



              $ sudo vi /etc/pam.d/sshd


              And find these lines:



              # Disallow non-root logins when /etc/nologin exists.
              account required pam_nologin.so


              Add this line between them:



              account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo


              So now the lines should look like this:



              # Disallow non-root logins when /etc/nologin exists.
              account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
              account required pam_nologin.so


              Now users who are in sudo group can login even when /run/nologin exists.



              And to allow a specific user:



              account [default=2 success=ignore] pam_succeed_if.so quiet user != username


              For more flexible conditions checkout:



              man pam_succeed_if





              share|improve this answer
























                up vote
                9
                down vote



                accepted







                up vote
                9
                down vote



                accepted






                Beside of using "root" account to make a new ssh connection, we can actually use PAM to allow specific user or groups logging in.



                PAM configurations of sshd are located at: /etc/pam.d/sshd which are in responsible of what you are looking for.



                By editing this file and using pam_succeed_if.so we can allow specific user or group to login even when /run/nologin exists on machine.




                pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of
                other PAM items. One use is to select whether to load other modules based on this test.




                So we use it to detect whatever we should load pam_nologin.so module or not based on your username or user-group.



                Open the file using your favorite text editor:



                $ sudo vi /etc/pam.d/sshd


                And find these lines:



                # Disallow non-root logins when /etc/nologin exists.
                account required pam_nologin.so


                Add this line between them:



                account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo


                So now the lines should look like this:



                # Disallow non-root logins when /etc/nologin exists.
                account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
                account required pam_nologin.so


                Now users who are in sudo group can login even when /run/nologin exists.



                And to allow a specific user:



                account [default=2 success=ignore] pam_succeed_if.so quiet user != username


                For more flexible conditions checkout:



                man pam_succeed_if





                share|improve this answer














                Beside of using "root" account to make a new ssh connection, we can actually use PAM to allow specific user or groups logging in.



                PAM configurations of sshd are located at: /etc/pam.d/sshd which are in responsible of what you are looking for.



                By editing this file and using pam_succeed_if.so we can allow specific user or group to login even when /run/nologin exists on machine.




                pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of
                other PAM items. One use is to select whether to load other modules based on this test.




                So we use it to detect whatever we should load pam_nologin.so module or not based on your username or user-group.



                Open the file using your favorite text editor:



                $ sudo vi /etc/pam.d/sshd


                And find these lines:



                # Disallow non-root logins when /etc/nologin exists.
                account required pam_nologin.so


                Add this line between them:



                account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo


                So now the lines should look like this:



                # Disallow non-root logins when /etc/nologin exists.
                account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
                account required pam_nologin.so


                Now users who are in sudo group can login even when /run/nologin exists.



                And to allow a specific user:



                account [default=2 success=ignore] pam_succeed_if.so quiet user != username


                For more flexible conditions checkout:



                man pam_succeed_if






                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Aug 31 at 20:16

























                answered Aug 31 at 17:58









                Ravexina

                962719




                962719






















                    up vote
                    3
                    down vote













                    If root can remotely login to the system, nologin is ignored. However, most sane admins will not permit root to directly login remotely, in favor of an authorized user logging in and using sudo. If the latter is not the case, however, root can log in and abort the shutdown.






                    share|improve this answer




















                    • Thanks +1, I was looking for something more flexible like this :)
                      – Ravexina
                      Aug 31 at 18:03














                    up vote
                    3
                    down vote













                    If root can remotely login to the system, nologin is ignored. However, most sane admins will not permit root to directly login remotely, in favor of an authorized user logging in and using sudo. If the latter is not the case, however, root can log in and abort the shutdown.






                    share|improve this answer




















                    • Thanks +1, I was looking for something more flexible like this :)
                      – Ravexina
                      Aug 31 at 18:03












                    up vote
                    3
                    down vote










                    up vote
                    3
                    down vote









                    If root can remotely login to the system, nologin is ignored. However, most sane admins will not permit root to directly login remotely, in favor of an authorized user logging in and using sudo. If the latter is not the case, however, root can log in and abort the shutdown.






                    share|improve this answer












                    If root can remotely login to the system, nologin is ignored. However, most sane admins will not permit root to directly login remotely, in favor of an authorized user logging in and using sudo. If the latter is not the case, however, root can log in and abort the shutdown.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Aug 31 at 17:40









                    DopeGhoti

                    41.1k55080




                    41.1k55080











                    • Thanks +1, I was looking for something more flexible like this :)
                      – Ravexina
                      Aug 31 at 18:03
















                    • Thanks +1, I was looking for something more flexible like this :)
                      – Ravexina
                      Aug 31 at 18:03















                    Thanks +1, I was looking for something more flexible like this :)
                    – Ravexina
                    Aug 31 at 18:03




                    Thanks +1, I was looking for something more flexible like this :)
                    – Ravexina
                    Aug 31 at 18:03










                    up vote
                    2
                    down vote













                    The nologin is ignored for user root. So you could use SSH to connect as root, but you probably have a distribution that doesn't allow root logins by default. You can create a SSH key and place it in ~root/.ssh/authorized_keys, then you can login with that key as root.






                    share|improve this answer




















                    • Thanks +1, I was looking for something more flexible like this :)
                      – Ravexina
                      Aug 31 at 18:03














                    up vote
                    2
                    down vote













                    The nologin is ignored for user root. So you could use SSH to connect as root, but you probably have a distribution that doesn't allow root logins by default. You can create a SSH key and place it in ~root/.ssh/authorized_keys, then you can login with that key as root.






                    share|improve this answer




















                    • Thanks +1, I was looking for something more flexible like this :)
                      – Ravexina
                      Aug 31 at 18:03












                    up vote
                    2
                    down vote










                    up vote
                    2
                    down vote









                    The nologin is ignored for user root. So you could use SSH to connect as root, but you probably have a distribution that doesn't allow root logins by default. You can create a SSH key and place it in ~root/.ssh/authorized_keys, then you can login with that key as root.






                    share|improve this answer












                    The nologin is ignored for user root. So you could use SSH to connect as root, but you probably have a distribution that doesn't allow root logins by default. You can create a SSH key and place it in ~root/.ssh/authorized_keys, then you can login with that key as root.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Aug 31 at 17:41









                    RalfFriedl

                    3,9601625




                    3,9601625











                    • Thanks +1, I was looking for something more flexible like this :)
                      – Ravexina
                      Aug 31 at 18:03
















                    • Thanks +1, I was looking for something more flexible like this :)
                      – Ravexina
                      Aug 31 at 18:03















                    Thanks +1, I was looking for something more flexible like this :)
                    – Ravexina
                    Aug 31 at 18:03




                    Thanks +1, I was looking for something more flexible like this :)
                    – Ravexina
                    Aug 31 at 18:03

















                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f466083%2fis-it-possible-to-remotely-cancel-a-scheduled-shutdown-when-run-nologin-exists%23new-answer', 'question_page');

                    );

                    Post as a guest
































































                    -

                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Image
                    Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
                    Read more

                    Bahrain

                    Image
                    For other uses, see Bahrain (disambiguation). Sovereign island state in the Persian Gulf Kingdom of Bahrain مملكة البحرين   (Arabic) Mamlakat al-Baḥrayn Flag Coat of arms Anthem:  نشيد البحرين الوطني Bahrainona Our Bahrain Location of   Bahrain    (circled in red) Capital and largest city Manama 26°13′N 50°35′E  /  26.217°N 50.583°E  / 26.217; 50.583 Official languages Arabic Ethnic groups (2010 [1] ) 50.7% Arab (46% Bahrani, 4.7% other Arabs) 45.5% Asian 1% European 1.2% Others Religion Islam Demonym(s) Bahraini Government Unitary constitutional monarchy • King Hamad bin Isa Al Khalifa • Crown Prince Salman bin Hamad bin Isa Al Khalifa • Prime Minister Khalifa bin Salman Al Khalifa Legislature National Assembly • Upper house Consultative Council • Lower house Council of Representatives Independence • Declared Independence [2] 14 August 1971 • from United Kingdom [1] 15 August 1971 • Admitted to the United Nations 21 September 1971 • Kingdom of Bahrain 14 February 2002
                    Read more

                    Postfix configuration issue with fips on centos 7; mailgun relay

                    Image
                    Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine. I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing? Any help would be appreciated! postconf -n: alias_database = hash:/etc/alia
                    Read more