23

I'm administrating a networked environment and I had an interesting situation arise yesterday. When a host is required to shutdown by a regular user, it refuses to do so if other users are logged in locally. This, however, is not the case when other users are logged in via SSH. If one user is logged in locally and one user is logged in via SSH and the locally logged in user attempts shutdown it succeeds without even a warning and the other user's SSH connection is abruptly terminated. My question is, is there a way to prevent this like the policy does for local users? I have already looked at the man page for sshd_config and couldn't find anything that seems related.

EDIT (Additional info.):

There are 4 OS's on the network: Mandriva 2009, Mandriva 2010.2, Mandriva 2011 and Ubuntu 11.04. The specific case I'm referring to had the SSH user on a Mandriva 2009 host and the local user on a Mandriva 2011 host.

Mandriva 2009 hosts use the GNOME 2.28 environment, 2010.2 hosts use GNOME 2.32, 2011 hosts use KDE Plasma and the Ubuntu 11.04 hosts use Unity.

Update

As I noted in this question, I have looked into polkit actions under /usr/share/polkit-1/actions/ and found (in the file org.freedesktop.consolekit.policy) an action called org.freedesktop.consolekit.system.stop-multiple-users that throws the message

System policy prevents stopping the system when other users are logged in

I'm thinking (due to the org.freedesktop.* naming convention) that this is some kind of signal sent to the DM via D-BUS. I think that if I can find out what signal triggers this polkit action, I should be able to modify its behavior. Any ideas?

Update 2

I tried a little experiment today and it gave me very strange results. I tried logging in via SSH to one box and made sure no other users were logged in on any VTs. If I choose to Shutdown from the "Actions" menu of GDM, I get the long-awaited policy message informing me that it's impossible to do so without authentication as other users are logged in. However, if I use GDM to locally log in and choose to shut down the box from GNOME's menu, the SSH session is clobbered as before. How is this possible? Is the behavior different when I initiate a shutdown request from GDM than when I initiate it from within a gnome-session? Does that tell anybody anything that can help me solve the problem?

Community
  • 1
Joseph R.
  • 39,549
  • It'd probably help if you could give some hint as to what OS you're running. – Jenny D Feb 28 '13 at 12:42
  • There are 4 OS's on the network: Mandriva 2009, Mandriva 2010.2, Mandriva 2011 and Ubuntu 11.04. I didn't realize this was OS-specific; editing my question... – Joseph R. Feb 28 '13 at 12:44
  • 2
    I think it's more to do with OS than with SSH. It's not something I've run up against in the Unixes I run; but then again, I usually do shutdown as root. – Jenny D Feb 28 '13 at 12:53
  • @JennyD: A solution might be to prevent users from shutting down via the UI; but I think that would be rather annoying to them. – Joseph R. Feb 28 '13 at 12:59
  • 2
    Rather than being an issue with SSH, it might be an issue with the configuration of PAM (on the host being shut down). Have you looked into how PAM could help shutdown determine logged-in users and provide the same warning to a user looking to shut down the system? – Rob Gibson Feb 28 '13 at 14:55
  • @RobGibson: Sounds promising. I will look into it and let you know. – Joseph R. Feb 28 '13 at 14:58
  • I got one idea to do with SSH as well - there's the option UseLogin that might be useful, depending on how the OS determines if other users are logged in or not. – Jenny D Feb 28 '13 at 15:33
  • Hm, now I think of it... how exactly do the users perform a shutdown? If they click a button on their desktop, it would probably be interesting to know what exactly that button does, i.e. if it calls /sbin/shutdown directly or if it's tied to some sort of script that does the checking for logged-on users. What desktop environment are they using? – Jenny D Feb 28 '13 at 15:34
  • @JennyD: I saw UseLogin in the man page and excluded it because it disables X11Forwarding, which is not an option for me. In answer to your second question, please see my edited question. – Joseph R. Feb 28 '13 at 15:36
  • @don_crissti Interesting link. I do have polkit installed. I have also seen the action org.freedesktop.consolekit.system.stop-multiple-users in /usr/share/polkit-1/actions which prevents stopping the system when multiple users are logged in. It seems to be correctly configured (allow_inactive => no and allow_active => auth_admin_keep). I haven't messed with local authorities, so it seems I should have the same situation as in the link; except I don't. Curiously enough, console-kit-daemon can't be started. Is this normal? – Joseph R. May 23 '13 at 00:20
  • @don_crissti But the rules are applied. I do get the message "System policy prevents stopping the system when other users are logged in" as defined by the polkit action. The problem is, I only get this message if I attempt shutdown as a locally-logged-in user when there are other locally-logged-in users. To be more specific: when other users have desktop sessions of their own or are logged in on one of the VTs (tty1 through tty6) – Joseph R. May 23 '13 at 00:54
  • @don_crissti First of all, thanks for the follow up. Second, what I wanted to ask you is this: gnome-session-manager sends the can_stop signal to consolekit to know if the shutdown request can be granted. How does consolekit proceed to answer this signal? What are the "authorization rules" you mentioned that it uses to determine whether other users are logged in? I feel that this is the core of the issue. – Joseph R. May 28 '13 at 22:15
  • @don_crissti I'll follow up on the (very interesting) links in your comment tomorrow (it's 1 AM in my part of the world right now). Meanwhile, please see Update2 to the question in case it can shed any light on this. – Joseph R. May 28 '13 at 23:02
  • @don_crissti I think what I did in Update2 above explains the seemingly inconsistent behavior in this blog post you linked to in an earlier comment. – Joseph R. May 28 '13 at 23:06

3 Answers3

4

You actually found the right information. At least it worked under Ubuntu up to 13.04.

The following policy entry, when setup with "auth_admin_keep" as below, would prevent the shutdown from happening:

<action id="org.freedesktop.consolekit.system.stop-multiple-users">
  <description>Stop the system when multiple users are logged in</description>
  <message>System policy prevents stopping the system when other users are logged in</message>
  <defaults>
    <allow_inactive>no</allow_inactive>
    <allow_active>auth_admin_keep</allow_active>
  </defaults>
</action>

But somehow, since 13.10, this policy is totally ignored. No one thus far has been able to tell me what would replace it (if anything.)

Note that you also have such an entry for restart (org.freedesktop.consolekit.system.restart-multiple-users), which should also be set to auth_admin_keep.

See this question/answer too on AskUbuntu: https://askubuntu.com/questions/1190/how-can-i-make-shutdown-not-require-admin-password

Alexis Wilke
  • 2,857
3

I would write a small program that checked for any active SSH connections via netstat and/or ps. Drop it in place of the shutdown command.

If no one else is using the machine, call shutdown when the user tries to. If someone is using the machine, simply warn the user who issued the shutdown command.

Netstat will give you output like this, and it's pretty easy to look for .ssh in the output.

netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        State
tcp        0     52  10.5.6.xx.ssh          10.6.6.yy.51400        ESTABLISHED
tcp        0      0  *.ssh                  *.*                    LISTEN
udp        0      0  *.syslog               *.*

ps will give you output like this, but it's a bit harder because you have to make sure not to worry about outbound connections. Netstat is probably the right way to go.

  ps -e | grep ssh
      10084366 ?        00:00:07 /opt/sbin/sshd
        282647 ?        00:00:00 /opt/sbin/sshd
kmort
  • 724
  • Sounds really good. I'm thinking a more robust way is to augment the SSH PAM session chain with a program that touches a file when a user logs in via SSH and removes it when the user logs out and then have the program you suggested simply check for the existence of these files. If this works, I'm accepting your answer. – Joseph R. Feb 28 '13 at 18:01
  • 1
    That should work. One thought: what happens if they disconnect without logging out? Does the file get touched if the SSH session simply dies? You would want to make sure it does – kmort Feb 28 '13 at 18:13
  • Hmmm. That is indeed food for thought... – Joseph R. Feb 28 '13 at 18:22
  • 1
    Perhaps your approach can be simplified by parsing the output of who instead. It shows which user(s) is/are connected and from which host. – Joseph R. Feb 28 '13 at 18:31
  • 1
    Very likely. On the shell I use most who doesn't give much output, but most other shells it does. (Silly embedded system...) In any case, if you want to use netstat, it's pretty simple to get the column you need with awk. Something along the lines of netstat -a | awk '{print $4}' (At least on my shell.) – kmort Feb 28 '13 at 18:50
  • This may not be as simple as I imagined. When I tried on a Mandriva 2010.2 host, using the UI to shutdown brought up the usual dialog giving you the choice of either shutting down, hibernating or restarting. When I chose the Shut Down option, it simply logged off. What I did was replace shutdown (which on my system happens to be a symlink to /bin/systemctl) with a simple script that outputs a zenity information dialog. The host simply logged off without displaying the dialog. – Joseph R. Mar 01 '13 at 17:01
0

Count SSH connections, and if more than yours, then shutdown:

SSH_CONS=$(ps x | grep 'sshd:' | grep -v 'grep' | wc -l)

if [ "$SSH_CONS" -gt 1 ]
then
    echo "More than 1 SSH connection..."
else
    echo "Shutting down..."
    # halt
fi

Something like this?

I would probably insert some read variables so it would prompt me, like "Do you want to shutdown anyway?" and "Do you want to shutdown?".

Then you could use it as an alias or similar.

Pablo A
  • 2,712
Adionditsak
  • 3,935