Wednesday, February 4, 2015

How To Shutdown Remote System Via SSH Without Password?

This blog post explains how to shutdown a remote system using SSH (SecureSHell) without password by using public/private keys for authentication. 





- First create an user with permission to shutdown or reboot system. Otherwise, use an existing user (here we've used an existing user "admin1"). This user should be available on the remote systems with same rights. If creating user is not a viable option then any existing user with sudo privilege's to shutdown/reboot system could be also be used. 


- Create password-less login for the user "admin1" using public/private keys of SSH.

- Login to the management node (whichever system being used to remotely manage other systems) as a user "admin1" to generate SSH key.


Generate SSH key
To generate SSH key please run "ssh-keygen" command. When it prompts to enter password, just press enter key to generate the key as shown below:
[admin1@desktop .ssh]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin1/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/admin1/.ssh/id_rsa.
Your public key has been saved in /home/admin1/.ssh/id_rsa.pub.
The key fingerprint is:
bb:af:85:89:39:18:21:7a:43:63:7d:f0:dd:0d:16:b6 admin1@desktop.private.cluster.example.com
The key's randomart image is:
+--[ RSA 2048]----+
| . =. |
| . o . + + |
| = o o . E . |
| + o o |
|. o . S |
| . . o o + |
| . + + . |
| . o |
| oo. |
+-----------------+


- Now, copy this public key to all remote systems to the "admin1" user account.


- To copy the key to more nodes, we could run command with a 'for' loop. First, create a file with either hostname or IP address of all the nodes stored in separate line and then run the for loop as shown below:


{{ in this case, we've stored all the IP addresses of the hosts in  a file "/home/admin1/nodes.lst" }}


Copy SSH Key
Login as user "admin1" and run the below command in a shell prompt using for loop. You would need to enter the password first time when this command is run. After this the "*.pub" key would be copied to authorized keys.


[admin1@desktop ~]$ for i in `cat nodes.lst`;do /usr/bin/ssh-copy-id $i;done
admin1@172.16.1.200's password:
Now try logging into the machine, with "ssh '172.16.1.200'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

admin1@172.16.1.201's password:
Now try logging into the machine, with "ssh '172.16.1.201'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.



- Login as a root user (on remote system) and run this command "visudo" (without quotes). This is a one time task to be performed on each remote systems. Otherwise, use for loop if there are more number of nodes and add the user.



Add Sudo User
Add the below lines to '/etc/sudoers' file to grant shutdown command execution to an user 'admin1' :
admin1 ALL = NOPASSWD: /sbin/shutdown


- Now, this user "admin1" would be able to run the shutdown command on any host without entering password. If you wish to restrict access then instead of "ALL" add the hostnames/IP Addresses/Domain etc., as required.


- Lets see how we could execute shutdown command on remote systems.

{{ The below command would do a graceful shutdown of the systems }}


sudo /sbin/shutdown -P 0
Execute shutdown using ssh as shown below now:

[admin1@desktop ~]$for i in `cat nodes.lst`;do /usr/bin/ssh -t $i /usr/bin/sudo /sbin/shutdown -P 0;done

{{ Now, you would see list of commands as shown below which would gracefully shutdown the nodes present in "nodes.lst" file one by one as shown below }}

Broadcast message from admin1@localhost.localdomain
(/dev/pts/0) at 10:58 ...

The system is going down for power off NOW!
Connection to 172.16.1.200 closed.

Broadcast message from admin1@localhost.localdomain
(/dev/pts/0) at 10:58 ...

The system is going down for power off NOW!
Connection to 172.16.1.201 closed.


- That's ALL!!! If you wish you can integrate this with a script as well.

NOTE: If a system still prompts to enter password even after following the above steps then please check if 'pubkeyauthentication' parameter is set to 'no' on the client system and if so, need to remove it otherwise, set it to 'yes'. Don't forget to restart the sshd service after making changes. 

1 comment:

Bala said...

It doesnot work actually. It still prompts for the password.