shutting down proxmox from VM

Not "ssh -l sduser proxmox_IP ALL=(root) NOPASSWD:/usr/sbin/shutdown", I meant changing it in the sudoers file from sduser ALL=(ALL) NOPASSWD:/usr/sbin/shutdown to sduser ALL=(root) NOPASSWD:/usr/sbin/shutdown (like you did with visudo before).
 
jaytee129 said:
I generated the key pair below and pasted the public key in
Code: 
/home/sduser/authorized_keys
. Another post I found suggests I should have put
Code: 
public key in ~/.ssh/authorized_keys
Are both approaches right? second one looks more secure (hidden file)
Click to expand...
Your right, should be "/home/sduser/.ssh/authorized_keys" not "/home/sduser/authorized_keys"

jaytee129 said:
I then tried 'pasting' the "key fingerprint" in as the password (since "Save private key" produces way more than a password) but it appears 'paste' is disabled and it simply does not seem right at all. Clearly I think I'm missing some key info (pardon the pun)
Click to expand...
The idea is that you provide the private key file every time you want to connect via SSH instead of using a password. So keep the passphrase fields empty when creating a RSA key and use the ppk created to authentificate when establishing a conection with putty. You don't ned that fingerprint. Just the public key ou paste into your authorized_keys file and the ppk file with your private key for putty.
 
Last edited:
Dunuin said:
Not "ssh -l sduser proxmox_IP ALL=(root) NOPASSWD:/usr/sbin/shutdown", I meant changing it in the sudoers file from sduser ALL=(ALL) NOPASSWD:/usr/sbin/shutdown to sduser ALL=(root) NOPASSWD:/usr/sbin/shutdown (like you did with visudo before).
Click to expand...

ok, thanks. my bad.

made the change and get the same as earlier:
Code: 
Failed to set wall message, ignoring: Access denied
Failed to reboot system via logind: Access denied
Failed to open initctl fifo: Permission denied
Failed to talk to init daemon.

Do I need to restart something or reboot to put these changes in effect? is that the issue?

Also, for giggles I thought I would just login then issue command.

First try:
Code: 
sduser@thibworldpx2:~$ cd /usr
sduser@thibworldpx2:/usr$ cd sbin
sduser@thibworldpx2:/usr/sbin$ ./shutdown -r now
User root is logged in on pts/0.
Please retry operation after closing inhibitors and logging out other users.
Alternatively, ignore inhibitors and users with 'systemctl reboot -i'.
sduser@thibworldpx2:/usr/sbin$

As I did have a shell open, I closed it and tried again:
Code: 
sduser@thibworldpx2:/usr/sbin$ ./shutdown -r now
Failed to set wall message, ignoring: Access denied
Failed to reboot system via logind: Access denied
Failed to open initctl fifo: Permission denied
Failed to talk to init daemon.
sduser@thibworldpx2:/usr/sbin$

I will need to be able to "ignore inhibitors" so should I be running the 'systemctl reboot -i' instead of shutdown, or will giving root privilege to sduser fix that?
 
Last edited:
Dunuin said:
The idea is that you provide the private key file every time you want to connect via SSH instead of using a password. So keep the passphrase fields empty when creating a RSA key and use the ppk created to authentificate when establishing a conection with putty. You don't ned that fingerprint. Just the public key ou paste into your authorized_keys file and the ppk file with your private key for putty.
Click to expand...

I'm not using putty to do the ssh. It has to be a command (.bat or .cmd) file in Windows because its UPS software in the Windows VM that's going to be calling for the shutdown of proxmox. So how do I make a DOS SSH command refer to a private key (or the file with it)?

And before anyone suggests using nut to manage UPS, I wasted hours on that and it was going to take many more hours to get it to do what the Windows software does out of the box. As long as I can get the remote shutdown command to work, it's going to be way better / less on-going headaches to use the Windows s/w.
 
Ok I figured out how to setup key pair for SSH between proxmox and in windows with the help of https://dev.to/juni/how-to-set-up-ssh-access-with-rsa-private-key-on-windows---gitbash-2hio

So I can ssh into proxmox from DOS command line without putting in a password. now I just need to know why sduser can't do the shutdown despite being set up to 'runas' root without passwd via the following entry in sudoers file:

Code: 
sduser  ALL=(root) NOPASSWD: /usr/sbin/shutdown,/usr/bin/systemctl

Tried two different commands:
Code: 
sduser@thibworldpx2:~$ /usr/sbin/shutdown -r now
User root is logged in on pts/0.
Please retry operation after closing inhibitors and logging out other users.
Alternatively, ignore inhibitors and users with 'systemctl reboot -i'.

sduser@thibworldpx2:~$ systemctl reboot -i
Failed to set wall message, ignoring: Access denied
Failed to reboot system via logind: Access denied
Failed to start reboot.target: Access denied
 
So why aren't these commands working?

jaytee129 said:
added to sudoers files for sduser
Click to expand...
Code: 
sduser  ALL=(root) NOPASSWD: /usr/sbin/shutdown,/usr/bin/systemctl


jaytee129 said:
Tried two different commands:
Click to expand...

jaytee129 said:
Code: 
sduser@thibworldpx2:~$ /usr/sbin/shutdown -r now
User root is logged in on pts/0.
Please retry operation after closing inhibitors and logging out other users.
Alternatively, ignore inhibitors and users with 'systemctl reboot -i'.

sduser@thibworldpx2:~$ systemctl reboot -i
Failed to set wall message, ignoring: Access denied
Failed to reboot system via logind: Access denied
Failed to start reboot.target: Access denied
Click to expand...



I also tried having sduser call for shutdown automatically at login through a 'shutdown.sh' script in /home/sduser that I added at bottom of /home/sduser/.profile so it runs on login.

first using these commands in the script:

Code: 
!/bin/bash
/usr/sbin/shutdown -r now

which runs at login - so that works - but get the same error messages

then I tried like this:

Code: 
!/bin/bash
su -c /usr/sbin/shutdown -r now

but it prompts for password. How to I disable prompting for a password?
 
jaytee129 said:
but it prompts for password. How to I disable prompting for a password?
Click to expand...
Because then you run shutdown as root and not as the sduser so you need to authentificate with roots password again, which is as unsecure as just looging in as the root user, giving your VM full admin acsess to your PVE host.

Maybe someone of the staff might now what might blocking the shutdown command.

Here something similar to sduser ALL=(root) NOPASSWD: /usr/sbin/shutdown works fine to allow my unprivileged monitoring user to access smartctl and the disks wnich usually is only allowed to the root user.
 
Last edited:
Thanks @Dunuin, @datschlatscher, and @UdoB for the closer. I'm pretty happy with the solution. I've set up ssh auto login from windows to promox with public-private keys so I don't need/use root password and the mere act of logging in with the user, "sduser", which was created only for shutting down proxmox, immediately does the one job it was created for. This prevents anyone from doing anything with the account, which wouldn't be much anyway.

That said, I'll open the door to bursting my bubble. Is this actually relatively secure? It seems to be to me. Worse case, someone that hacks my sduser password (after guessing or finding the username in the first place), would simply result in automatically shutting down proxmox. To prevent that I made the password super complicated (kept in my password manager). Perhaps using API is better, but would this be second best?

Thanks again
 
  • Like
Reactions: datschlatscher
Better than using complicated passwords for your linux users is it to additionally only allow public-private-key authentification for ssh. That can be done by editing the line #PasswordAuthentication yes to PasswordAuthentication no in "/etc/ssh/sshd_config". But for that you should create another pair of priv-pub-keys for your root first, so you don't lock yourself out. But I would only recommend that if you can really keep that private key file safe (for example stored in a encrypted password safe when not in use).
 
On a new install am trying the SSH + no password user ("sduser") way of executing a shutdown but am getting stuck doing the SSH for the 'sduser' on this install and I can't figure out why.

SSH works fine using putty for root, i.e. I get the following when I use putty and set login as root

Code: 
Using username "root".
Authenticating with public key "rsa-key-20220720"
Linux thibworldpx3 5.15.39-1-pve #1 SMP PVE 5.15.39-1 (Wed, 22 Jun 2022 17:22:00 +0200) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jul 20 14:31:21 2022 from 192.168.2.2
root@thibworldpx3:~#


But when I try to ssh with putty using login of 'sduser', I get this:
Code: 
Using username "sduser".
Server refused our key
sduser@192.168.2.254's password:

The same key is in ~/.ssh/authorized_keys for both users

PLUS I have no password for sduser:

Code: 
passwd -S sduser
sduser NP 07/20/2022 0 99999 7 -1

AND sduser has been added to sudoers file using the line

Code: 
sduser  ALL=(root) NOPASSWD:/usr/sbin/shutdown

Also tried the following syntax (and others) as I read different posts and got warnings from visudo about the syntax for that line

Code: 
sduser  ALL=(root) NOPASSWD /usr/sbin/shutdown

Code: 
sduser  ALL=(root) NOPASSWD: /usr/sbin/shutdown


Same key pair for both copied in about 3 times now in case of typo or something, all on one line with CR at the end, like this (though this is not the actual one):

Code: 
root@thibworldpx3:/home/sduser/.ssh# more auth*
ssh-rsa  AAAAB3NzaC1yc2EAAAADAQABAAABAQCYsBC/CA9tAbqquYyrJYQ6sqTehJDPOridmiTU2oHIGqM9blahblahblahblahHuvc0Bmnaa19mYQjVmEwkwwEk+CRdTlQU6WIj2I+MpsWsTKPo6MBj4rFkWnQo8atAb1vU7Y+Va1p4v1as5AyOhH3tlniOyjgYTWX6aXdmz3Rm/fJS/6aTBNRlHrJfcQluchzpPca5XgfN+aT rsa-key-20220720

root@thibworldpx3:/home/sduser/.ssh#

FWIW, when I used the command line to ssh I get a similar thing for each one respectively:

Code: 
ssh root
Linux thibworldpx3 5.15.39-1-pve #1 SMP PVE 5.15.39-1 (Wed, 22 Jun 2022 17:22:00 +0200) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jul 20 14:35:50 2022 from 192.168.2.2
root@thibworldpx3:~#

ssh sduser
sduser@192.168.2.254's password:
Permission denied, please try again.
sduser@192.168.2.254's password:
Permission denied, please try again.
sduser@192.168.2.254's password:
sduser@192.168.2.254: Permission denied (publickey,password).

What am I missing?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back