Is it possible to remotely cancel a scheduled shutdown when /run/nologin exists?

Beside of using "root" account to make a new ssh connection, we can actually use PAM to allow specific user or groups logging in.

PAM configurations of sshd are located at: /etc/pam.d/sshd which are in responsible of what you are looking for.

By editing this file and using pam_succeed_if.so we can allow specific user or group to login even when /run/nologin exists on machine.

pam_succeed_if.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of other PAM items. One use is to select whether to load other modules based on this test.

So we use it to detect whatever we should load pam_nologin.so module or not based on your username or user-group.

Open the file using your favorite text editor:

$ sudo vi /etc/pam.d/sshd

And find these lines:

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

Add this line between them:

account  [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo

So now the lines should look like this:

# Disallow non-root logins when /etc/nologin exists.
account  [default=1 success=ignore] pam_succeed_if.so quiet user notingroup sudo
account  required     pam_nologin.so

Now users who are in sudo group can login even when /run/nologin exists.

And to allow a specific user:

account [default=2 success=ignore] pam_succeed_if.so quiet user != username

For more flexible conditions checkout:

man pam_succeed_if

If root can remotely login to the system, nologin is ignored. However, most sane admins will not permit root to directly login remotely, in favor of an authorized user logging in and using sudo. If the latter is not the case, however, root can log in and abort the shutdown.


The nologin is ignored for user root. So you could use SSH to connect as root, but you probably have a distribution that doesn't allow root logins by default. You can create a SSH key and place it in ~root/.ssh/authorized_keys, then you can login with that key as root.

Tags:

Ssh

Shutdown

Recent Posts