shutting down proxmox from VM

jaytee129

Member
Jun 16, 2022
142
10
23
I'm looking for a command I can send from a Windows VM that will tell proxmox to shutdown. My google searches lead to all kinds of info on how to shut proxmox from proxmox command like and how to shut vm's down from proxmox command line but nothing about how to shutdown proxmox from a VM.

Is there a way to do that?
 
Thats usually one thing you don't want to be able to do. VMs should be isolated for security reasons with no access to the host, so a compromised VM can't do too much damage.
If you still want to do that I would recommend using the Proxmox API. You can create an user like shutdown@pve and then only allow that user to start/stop/shutdown/reboot the server by giving it the privilege "Sys.PowerMgmt". Then you can send a command through the API (I'm sure Windows got something similar to curl for that too) to login as that shutdown@pve user and then to shutdown the server.

Something similar could be achieved without the API but by using SSH. You could create a new PAM user with very limited rights. Then install sudo and edit the sudoers file to allow the shutdown user to run the single command "/usr/sbin/shutdown now" with root privileges. That way that user is just allowed to shutdown the server. You can then use a SSH client and login as that user and shutdown the server.
 
Last edited:
I use this command on my personal workstation on proxmox ( VM linux mint on passtrough ) :

ssh -l root ip_du-promox- /usr/sbin/poweroff

Works like a charm.
 
I use this command on my personal workstation on proxmox ( VM linux mint on passtrough ) :

ssh -l root ip_du-promox- /usr/sbin/poweroff

Works like a charm.
But also means you give your VM root access to your PVE server...not great for security.
 
Last edited:
But also means you give your VM root access to your PVE server...not great for security.
Like l said it's my computer(workstation) @ home ...;)

Whenever the method you use, giving the power to shutdown proxmox is a bit of risky
 
Thats usually one thing you don't want to be able to do. VMs should be isolated for security reasons with no access to the host, so a compromised VM can't do too much damage.
If you still want to do that I would recommend using the Proxmox API. You can create an user like shutdown@pve and then only allow that user to start/stop/shutdown/reboot the server by giving it the privilege "Sys.PowerMgmt". Then you can send a command through the API (I'm sure Windows got something similar to curl for that too) to login as that shutdown@pve user and then to shutdown the server.

Something similar could be achieved without the API but by using SSH. You could create a new PAM user with very limited rights. Then install sudo and edit the sudoers file to allow the shutdown user to run the single command "/usr/sbin/shutdown now" with root privileges. That way that user is just allowed to shutdown the server. You can then use a SSH client and login as that user and shutdown the server.
Thanks.

So I looked up a bit about APIs and it looks too complicated for my pay grade as a newbie unless maybe someone can point me to a good tutorial on the subject. Also, while I know how to create a user called "john" or "admin", what's "shutdown@pve"? would i need to create a host/domain for something like that? why did you add @pve? where does one assign Sys.PowerMgmt privilege to a user?

So for now I'd like to pursue the SSH route without selling the farm on the security aspect if that's possible, Could I create a user name 'john', put him in the sudoers files (I did look that up but a question on that is coming), then call "ssh -l john /usr/bin/shutdown -h now"?

If so, what do I put in sudoers file to give 'john' only shutdown capability? There was nothing on that in my search for sudoers. Also why wouldn't I use the Sys.PowerMgmt privilege, wherever that's done?
 
Whenever the method you use, giving the power to shutdown proxmox is a bit of risky
But there are more and less risky methods. Thats why I explained you can create users without any privileged other than shutting down the server. Worst thing that user then could do is shutting down the server when you don't want it causing some downtime. But that user can't wipe your disk or encrypt all your data to blackmail you like ransomware would do it, which you can also be a victim of when using your workstation. Might not be the biggest risk, but a risk you could avoid if you want to.
Also, while I know how to create a user called "john" or "admin", what's "shutdown@pve"? would i need to create a host/domain for something like that?
There are two types of users. PAM users (the user accounts you create in your linux by for example using the adduser command) and PVE users, which aren't linux users but accounts that you can create to manage your PVE using the webUi or API. When you log into the webUI or API you can either use john@pve or john@pam which refer to different users.
where does one assign Sys.PowerMgmt privilege to a user?
PVE WebUI: Datacenter-> Permissions

You really should have a look into managing users, privileges and right managemnt. It isn't good to let everything run as root. Best case would be you setup a unprivileged user with as less privileges as needed for each service. Not just for the PVE host, but also inside all your VMs and LXCs. Lets say you run a webserver as root and you miss a security hole and a hacker/bot exploits it and can execute code as the user that runs the webserver. If that webserver runs as root the attacker can destroy your entire VM/LXC as he would have administrative rights to do everything he wants. If you run that webserver as an unprivileged user (for example "www") with only as much privileges to run it and access that webserver root folder, the damage the attacker could do will be limited as stuff like wiping your disk isn't possible for him.

If someone just asks for your passport, don't give him your complete purse with credit cards, PINs and so on. Thats bascially what you do when just using root for everything instead to creating unprivileged users.
So for now I'd like to pursue the SSH route without selling the farm on the security aspect if that's possible, Could I create a user name 'john', put him in the sudoers files (I did look that up but a question on that is coming), then call "ssh -l john /usr/bin/shutdown -h now"?
You will need to define the host you want to connect to and provide a password, but yes.
If so, what do I put in sudoers file to give 'john' only shutdown capability? There was nothing on that in my search for sudoers.
You can run visudo and add something like
Code:
john ALL=(ALL) NOPASSWD: /usr/sbin/shutdown
at the end that would allow the user john to call sudo shutdown now to shutdown the server without being asked for a password or giving him any root privileges.
Also why wouldn't I use the Sys.PowerMgmt privilege, wherever that's done?
Thats just if you want to use the API or webUI with a user of the PVE realm.
 
Last edited:
  • Like
Reactions: jaytee129
You can run visudo and add something like
Code:
john ALL=(ALL) NOPASSWD: /usr/sbin/shutdown
grrr. how do i run visudo? it doesn't work by itself nor using these guesses:

root@thibworldpx2:/etc# /usr/sbin/visudo
-bash: /usr/sbin/visudo: No such file or directory
root@thibworldpx2:/etc# /usr/bin/visudo
-bash: /usr/bin/visudo: No such file or directory
root@thibworldpx2:/etc# sudo /usr/sbin/visudo
-bash: sudo: command not found
 
Check that you have "sudo" installed by running apt list --installed | grep sudo. If not you might need to install it first.

In case you want john to run shutdown as the root user you can also add john ALL=(root) NOPASSWD: /usr/sbin/shutdown with visudo.
 
  • Like
Reactions: jaytee129
i found a web site after about half a dozen searches that pointed out sudo needs to be installed. i thought sudo was part of core linux functionality. all good now.
 
i found a web site after about half a dozen searches that pointed out sudo needs to be installed. i thought sudo was part of core linux functionality. all good now.
Thats the case for other linux distributions like Ubuntu. But not for Debian or PVE.
 
so added sduser just below the exist root entry using visudo

Code:
# User privilege specification
root    ALL=(ALL:ALL) ALL
sduser  ALL=(ALL) NOPASSWD:/usr/sbin/shutdown

then did this on the Windows VM (using DOS command):

Code:
ssh -l sduser proxmox_IP /etc/sbin/shutdown -h now
The authenticity of host 'proxmox_IP (proxmox_IP)' can't be established.
ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'proxmox_IP' (ECDSA) to the list of known hosts.
sduser@proxmox_IP's password:
Permission denied, please try again.
sduser@proxmox_IP's password:
Permission denied, please try again.
sduser@proxmox_IP's password:
sduser@proxmox_IP: Permission denied (publickey,password).

I tried no password (just carriage return), tried a random password, then tried root password.

What am I doing wrong?
 
SSH needs to authentiicate your sduser to allow the connection. So either type in your sdusers password or better create a RSA key just for shutting down the server and copy that public RSA key to your sdusers authorized_keys file (nano /home/sduser/authorized_keys). You could then provide the private RSA key to authentificate yourself instead of typing in a password.
 
oops, i hadn't actually created the user. I only added it to sudoers files. I fixed that now, with a password, and tried again entering the password when prompted. here's what I got:

Code:
ssh -l sduser proxmox_IP /etc/sbin/shutdown -h now
sduser@proxmox_IP's password:
bash: line 1: /etc/sbin/shutdown: No such file or directory

Aside from what's missing above, I thought the following entry in sudoers files meant a password was not needed. What am I missing here?

Code:
sduser  ALL=(ALL) NOPASSWD:/usr/sbin/shutdown
 
/etc/sbin/shutdown: No such file or directory

/usr/sbin/shutdown is probably what you are looking for. You typed /etc/ ;)

Aside from what's missing above, I thought the following entry in sudoers files meant a password was not needed. What am I missing here?
This just makes it possible for the user to issue the command without having to authenticate with the password.

Before you can do any of that, you have to connect to the machine, e.g. via SSH. SSH creates a connection from your Windows VM to your Proxmox host. To establish this connection, it usually needs a username and a password (so pretty much like everywhere else) but like @Dunuin said, setting up public-private-key authentication is generally recommended and a lot more secure. (and also means you won't have to type in the password manually!)
Once the connection is established, you can then issue the command. This is where the entry in the sudoers file comes into play.
 
  • Like
Reactions: Dunuin
/usr/sbin/shutdown is probably what you are looking for. You typed /etc/ ;)


This just makes it possible for the user to issue the command without having to authenticate with the password.

Before you can do any of that, you have to connect to the machine, e.g. via SSH. SSH creates a connection from your Windows VM to your Proxmox host. To establish this connection, it usually needs a username and a password (so pretty much like everywhere else) but like @Dunuin said, setting up public-private-key authentication is generally recommended and a lot more secure. (and also means you won't have to type in the password manually!)
Once the connection is established, you can then issue the command. This is where the entry in the sudoers file comes into play.
Oops. fixed the /usr and got this:

Code:
ssh -l sduser proxmox_IP /usr/sbin/shutdown -h now
sduser@proxmox_IP's password:
Failed to set wall message, ignoring: Access denied
Failed to power off system via logind: Access denied
Failed to open initctl fifo: Permission denied
Failed to talk to init daemon.

I'll look into creating pki cert
 
You could also try it with sduser ALL=(root) NOPASSWD:/usr/sbin/shutdown to run shutdown as the root user. And you could test if ssh -l sduser proxmox_IP /usr/sbin/shutdown works.
 
You could also try it with sduser ALL=(root) NOPASSWD:/usr/sbin/shutdown to run shutdown as the root user. And you could test if ssh -l sduser proxmox_IP /usr/sbin/shutdown works.
first one gave me this:
Code:
ssh -l sduser proxmox_IP  ALL=(root) NOPASSWD:/usr/sbin/shutdown
sduser@proxmox_IP's password:
bash: line 1: NOPASSWD:/usr/sbin/shutdown: No such file or directory

second one gave me this:

Code:
ssh -l sduser proxmox_IP /usr/sbin/shutdown
sduser@proxmox_IP's password:
Failed to set wall message, ignoring: Access denied
Failed to call ScheduleShutdown in logind, no action will be taken: Access denied

SSH needs to authentiicate your sduser to allow the connection. So either type in your sdusers password or better create a RSA key just for shutting down the server and copy that public RSA key to your sdusers authorized_keys file (nano /home/sduser/authorized_keys). You could then provide the private RSA key to authentificate yourself instead of typing in a password.


I generated the key pair below and pasted the public key in
Code:
/home/sduser/authorized_keys
. Another post I found suggests I should have put
Code:
 public key in ~/.ssh/authorized_keys
Are both approaches right? second one looks more secure (hidden file)

I then tried 'pasting' the "key fingerprint" in as the password (since "Save private key" produces way more than a password) but it appears 'paste' is disabled and it simply does not seem right at all. Clearly I think I'm missing some key info (pardon the pun)


1656690017720.png
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!