Is it possible to remotely cancel a scheduled shutdown when /run/nologin exists?
Beside of using "root" account to make a new ssh
connection, we can actually use PAM to allow specific user or groups logging in.
PAM configurations of sshd
are located at: /etc/pam.d/sshd
which are in responsible of what you are looking for.
By editing this file and using pam_succeed_if.so
we can allow specific user or group to login even when /run/nologin
exists on machine.
pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of other PAM items. One use is to select whether to load other modules based on this test.
So we use it to detect whatever we should load pam_nologin.so
module or not based on your username or user-group.
Open the file using your favorite text editor:
$ sudo vi /etc/pam.d/sshd
And find these lines:
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
Add this line between them:
account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
So now the lines should look like this:
# Disallow non-root logins when /etc/nologin exists.
account [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
account required pam_nologin.so
Now users who are in sudo
group can login even when /run/nologin
exists.
And to allow a specific user:
account [default=2 success=ignore] pam_succeed_if.so quiet user != username
For more flexible conditions checkout:
man pam_succeed_if
If root
can remotely login to the system, nologin
is ignored. However, most sane admins will not permit root
to directly login remotely, in favor of an authorized user logging in and using sudo
. If the latter is not the case, however, root
can log in and abort the shutdown.
The nologin
is ignored for user root. So you could use SSH to connect as root, but you probably have a distribution that doesn't allow root logins by default. You can create a SSH key and place it in ~root/.ssh/authorized_keys
, then you can login with that key as root.