next »

[lk]

hi to all of you, i'm new in the forum, new in pfsense distro, sure you may help me.

i changed my old ipcop firewall with a new pfsesnse 1.2.2 firewall
My problem regards remote shutdown of pfsense firewall
from an ubuntu pc on which runs APC's Powerchute Agent SOftware.
I googled the internet finding this solution:
When power goes down, APC's Powerchute runs a script containing the code:
plink -ssh -P 220 -pw myrootpasswd root@192.168.1.1 "/sbin/shutdown -h now"
obviously 192.168.1.1 is the pfsense ip address

I do not understand why the script works well only if I run it from the console,
while it does not sort effects if Powerchute runs it on power failure.
Any other command in the script works fine.

Any idea? thanks in advance, lk

[Cry Havok]

Alternatively move your Ubuntu system to use NUT (Network UPS Tools) and install the NUT package on pfSense.  Then all you have to do is configure the pfSense host as a slave of the Ubuntu host and it'll shut down automatically on power outage.

[jimp]

Even if you get this working, consider using "shutdown -p" instead. On many modern systems, this will power the system off.

-h will halt the system, but leave it running, which will just sit there and drain your batteries more.

I tried the command with the syntax you gave, and it did shut down my system.

Have you run it by hand once to make sure the key is saved in the cache?

[lk]

Alternatively move your Ubuntu system to use NUT (Network UPS Tools) and install the NUT package on pfSense.  Then all you have to do is configure the pfSense host as a slave of the Ubuntu host and it'll shut down automatically on power outage.

ok, i will consider also this possibility, thanks 

[lk]

Even if you get this working, consider using "shutdown -p" instead. On many modern systems, this will power the system off.

-h will halt the system, but leave it running, which will just sit there and drain your batteries more.

I tried the command with the syntax you gave, and it did shut down my system.

Have you run it by hand once to make sure the key is saved in the cache?

thanks for the suggestion,
next time i'll make test i will try it.
In effect pfsense box only halts system that stands powered on until apc ups cuts off current..

i run the script many ways, all ok:
- by hand (from console) and obviously first time it asked me to save key..
- running script at a certain time, cron scheduled
- manipulating pfsense rc.initial to accept remote command from root from a specific ip (ubuntu)
- tried also to access pfsense from ubuntu via public / private key
but i do not understand why if the command runs from a script in which i insert that code and also vmware suspending code, all vmware virtual machines (on ubuntu server) suspend, firewall does not halt!!

maybe the problem depends on the user that activate the script (that should be ubuntu root)?
any idea?
 
 

[jimp]

i run the script many ways, all ok:
- by hand (from console) and obviously first time it asked me to save key..
- running script at a certain time, cron scheduled
- manipulating pfsense rc.initial to accept remote command from root from a specific ip (ubuntu)
- tried also to access pfsense from ubuntu via public / private key
but i do not understand why if the command runs from a script in which i insert that code and also vmware suspending code, all vmware virtual machines (on ubuntu server) suspend, firewall does not halt!!

maybe the problem depends on the user that activate the script (that should be ubuntu root)?
any idea?

Just to clarify, does it ever work? Even if run by hand?

I didn't see that you were running from Ubuntu before. I saw you mention "plink" and thought you were using PuTTY on Windows. When I did run that on Windows, though, I had to either specify the full path to plink or change to the directory containing plink first. I'll try it from an Ubuntu station and see what happens.

Are the commands you're using to connect to the other hosts similar to what you are using to connect to pfSense?

The user running the command might matter if it is different than the one you used to run it by hand to save the key. If you run it as yourself, and save the key, then root wouldn't have a key saved when it ran. So you can try to run it by hand with sudo, or have your script call it as your own user.

[jimp]

FYI - I just tried this from an Ubuntu workstation using plink and it worked from there, too.

[lk]

i run the script many ways, all ok:
- by hand (from console) and obviously first time it asked me to save key..
- running script at a certain time, cron scheduled
- manipulating pfsense rc.initial to accept remote command from root from a specific ip (ubuntu)
- tried also to access pfsense from ubuntu via public / private key
but i do not understand why if the command runs from a script in which i insert that code and also vmware suspending code, all vmware virtual machines (on ubuntu server) suspend, firewall does not halt!!

maybe the problem depends on the user that activate the script (that should be ubuntu root)?
any idea?

Just to clarify, does it ever work? Even if run by hand?

I didn't see that you were running from Ubuntu before. I saw you mention "plink" and thought you were using PuTTY on Windows. When I did run that on Windows, though, I had to either specify the full path to plink or change to the directory containing plink first. I'll try it from an Ubuntu station and see what happens.

Are the commands you're using to connect to the other hosts similar to what you are using to connect to pfSense?

The user running the command might matter if it is different than the one you used to run it by hand to save the key. If you run it as yourself, and save the key, then root wouldn't have a key saved when it ran. So you can try to run it by hand with sudo, or have your script call it as your own user.

scuse me, just to clarify: this is the scenario:

i've 2 PCs and 1 ups

pc1:
ubuntu server 8.04 + putty-tools (plink) + putty + apc powerchute agent + vmware server 2.0 (on which run various linux & windows VM)   

pc2:
pfsense 1.2.2

ups:
apc smart ups 1000 connected via serial port to pc1


All the tests i made were directly from CLI on ubuntu shell, pc1 (never tried the script on windows pc).
all the times, except the first test (key exchange), the script worked perfectly.

the plink script does not work only if it is launched by apc powerchute software

note:
i inserted the command "plink -p 220 etc" in a script sd.sh
and told apc powerchute software to run sd.sh before shut down all..
this is the script sd.sh

#!/bin/bash
plink -p220 etc
various commands to suspend virtual machines

when i unplug powerchord from the ups, ups beeps and after 1 minute runs sd.sh, that suspends all VMs, shuts down ubuntu/pc1, but does not halt pfsense/pc2

hope to be clear now.

thanks, bye.

[jimp]

Does that script have a proper path set?

Have you tried giving the full path to the plink executable?

[lk]

Does that script have a proper path set?

Have you tried giving the full path to the plink executable?

hi jimp,
in my script i always specified the complete path for script and for plink.

news
yesterday i made another test session:
1. the  -p  option works well, shutting down completly pfsense pc, thanks
2. found a cmdfile.log file in apc dir that logs the ssh communication with pfsense: the log ends with a "store key in cache? (y/n)" !!
i don't know why, but when powerchute runs plink script, it waits for a response and does not execute shutdown command on remote pfsense!!

I'll pay my attention triing to automate root ssh key exchange
bye
 

[jimp]

Sounds like a promising lead. 

It may be as simple as copying your ~/.ssh/known_hosts file to the home directory of the user running the APC software.

[lk]

Sounds like a promising lead. 

It may be as simple as copying your ~/.ssh/known_hosts file to the home directory of the user running the APC software.

no, it does not work for me..

but finally i found the solution, only with ssh, without putty neither plink, after reading this post:
http://forum.pfsense.org/index.php/topic,11356.msg62849.html#msg62849

here the howto:

Purpose: remote shutdown the firewall via ssh
Solution: ssh ssh-keygen
Requirements:
    ssh, shell (for both firewall + client), webGUI
Settings:
    firewall pfsense 1.2.2 (192.168.1.1)
    APC Powerchute on Ubuntu Server 8.04 lts (192.168.1.9)
FIXME:
    security hole due to NON-password private RSA key

Step 1: prepare non-password RSA key ==> for automatic proccess
   a. from client, with administrative privileges use ssh-keygen to generate private/public key 'pfsense' without password
   b. verify on client the private key is into => ~/.ssh/pfsense
   c. put the public key pfsense.pub to firewall => /root/.ssh/authorized_keys (you can use webGUI to update the key)
   
Step 2: empty the file .profile on pfsense
   a. ssh login to the firewall / webGUI Diagnostics - Execute Shell command
      to empty the file .profile
Code:
echo '' > /root/.profile
  This step is required, so that we can use script from client. If you do not do this, the shell is INTERACTIVE and scripts from client cannot run

Step 3: from ubuntu client, as root run code
  ssh -p 220 -v root@pfsense
  answering yes to accept key exchange (only at first connetion)

Step 4: insert code  ssh -p 220 root@pfsense "/sbin/shutdown -p now"
  in the script /opt/APC/PowerChuteBusinessEdition/Agent/cmdfiles/sd.sh that APC Powerchute runs at power supply down

Step 5: verify pfsense firewall shutdown correctly on ups power down


Hope to be clear,
special thanks to:
- Rocky, for the clear guide to rsync backup on pfsense,
- Jimp, for the collaboration (-p option..)
but i belief that Cry Havok' solution (NUT use) could be better: i'll try later.

bye

[martinlompa]

  Hi Guys
I have a similar problem, but not related to a UPS at all.  I am running the plink shutdown commant from a windows pc to shut down PFSENSE remotely, manually.

I have had ZERO luck with remotely shutting down pfsense.  It works perfectly to shut down my Ubuntu server tho...no hassles.

Has anyone got this working? Please give me some guidelines.  thank you!!
Martin - Cape Town

this is my commands.txt:

shutdown -P -h now
root

This is my batch file shutdown.bat:

plink.exe -ssh -l root -pw ******** -m commands.txt root@192.168.12.1

when I run the patch file it's just blank and does not close. obviously something it not working....how can I set up pfsense to allow this command to work?

[Bern]

It's probably because the login shell is the menu, which IIRC is /etc/rc.initial, so it's hanging there waiting for you to choose a menu item

[martinlompa]

erm ok, so what do i do?  would you know how to write a shutdown script for pfsense?  one that I can execute from within windows?  maybe with plink?

please help?  is it possible that pfsense does not allow plink? 
i'm not a linux guru...