Shutting Down Linux Remotely

I was looking for a way to automate remote Linux computer shutdown requiring minimum permissions. This is what I came up with.

The procedure describes how to configure and prepare Fedora’s built-in shutdown user account and trigger a shutdown from a Windows computer.

Requirements

  1. SSH client for Windows. Plink is recommended and described in this document. Plink is a part of PuTTY.
  2. The following procedure was developed and tested on Fedora release 17. With some minor modifications, it should work on other Linux distributions too.

Linux setup

  1. Create a new file /sbin/shutdown-now with the following content:
    #!/bin/sh
    /bin/sudo /sbin/telinit 0
  2. Make it executable using:
    chmod a+x /sbin/shutdown-now
  3. Add /sbin/shutdown-now to the list of allowed shells in /etc/shells.
  4. Add the following line to /etc/sudoers:
    shutdown ALL=NOPASSWD:/sbin/telinit 0
  5. Set password to the built-in shutdown user account, using:
    passwd shutdown
  6. Set the shutdown user’s shell to /sbin/shutdown-now. Open /etc/passwd and find the line beginning with shutdown:... Modify it to:
    shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown-now

Windows setup

  1. To shut down Linux computer, use:
    plink -t -l shutdown -pw <password> <computer>

Host keys

Please note that Plink displays a warning on first connection attempt to any given computer. It prompts user to confirm the host key. Such prompts are highly undesirable in automated environments, and there is no way to disable them, as explicitly stated in the PuTTY documentation:

A.2.9 Is there an option to turn off the annoying host key prompts?
No, there isn’t. And there won’t be. Even if you write it yourself and send us the patch, we won’t accept it.
Those annoying host key prompts are the _whole point_ of SSH.

What we’re left to do is to make an initial manual run of Plink to confirm the host key. When confirmed, the host key is saved to registry and not prompted again unless it changes.

The host keys are stored in:

  • HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys

When required to call Plink from Local System, Local Service, or Network Service account, we have to copy the host keys manually to:

  • HKEY_USERS\S-1-5-18\Software\SimonTatham\PuTTY\SshHostKeys
  • HKEY_USERS\S-1-5-19\Software\SimonTatham\PuTTY\SshHostKeys or
  • HKEY_USERS\S-1-5-20\Software\SimonTatham\PuTTY\SshHostKeys respectively.

After that, add -batch parameter to Plink call to make it fail rather than wait for a prompt in case of host key mismatch ever again.

References

  1. http://www.cyberciti.biz/tips/shutdown-account-to-shutdown-linux-server.html
  2. http://forums.fedoraforum.org/archive/index.php/t-252309.html
  3. http://forums.fedoraforum.org/showthread.php?t=249295
  4. http://www.linuxquestions.org/questions/linux-general-1/sudoers-file-no-password-615334/
  5. http://ubuntuforums.org/showthread.php?t=19236
  6. http://stackoverflow.com/questions/6147203/automating-running-command-on-linux-from-windows-using-putty

Yes, I know – a lot of knowledge involved for a fairly simple thing!

2 thoughts on “Shutting Down Linux Remotely”

  1. Another solution to prevent Plink’s host key prompt came to my mind…

    Once the host key is confirmed manually, open HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys to get the host key. Then make your shutdown call like:

    reg add "HKCU\Software\SimonTatham\PuTTY\SshHostKeys" /v "rsa2@22:<computer>" /t REG_SZ /d "<host key>" /f
    plink -t -batch -l shutdown -pw <password> <computer>

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.