Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    driving me mental, remote login to pfsense CLI to shutdown

    Scheduled Pinned Locked Moved General pfSense Questions
    43 Posts 5 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jdeloach @automate
      last edited by

      @automate Probably need to install the "sudo" package from package manager if it is not already installed and then issue the command 'sudo shutdown -h now'. I think this works for most variants of Linux, not sure about FreeBSD.

      Also you may or may not need the '-h' in the command.

      1 Reply Last reply Reply Quote 0
      • A
        automate
        last edited by

        thanks same issue :(

        i can login with 'ssh user@192.168.1.254' but when i put

        ssh user@192.168.1.254 'sudo shutdown -h now'

        It fails with:

        ssh nsautomate@192.168.1.254 sudo shutdown -h now

        We trust you have received the usual lecture from the local System
        Administrator. It usually boils down to these three things:

        #1) Respect the privacy of others.
        #2) Think before you type.
        #3) With great power comes great responsibility.
        

        sudo: no tty present and no askpass program specified

        A 1 Reply Last reply Reply Quote 0
        • A
          automate @automate
          last edited by

          Or this works, but asks me for a password!

          ssh -t nsautomate@192.168.1.254 "sudo shutdown -h now"

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Have you configured sudo correctly?

            Does it work if you manually ssh into pfSense and then run the command?

            Steve

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              see your other thread... Where you said jimp instructions don't work ;)

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Aha, so not configured correctly! 😉

                1 Reply Last reply Reply Quote 0
                • A
                  automate
                  last edited by

                  Reinstalled the package and now I can execute the shutdown script without a password.

                  I still cannot login via ssh without a password, despite using the ssh-keygen utility and a copy of the key over. it works for a few minutes then stops working. Very bizzare!

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    I always login via public key when I ssh.. Not a fan of passwords and ssh - have had zero issue doing this on any pfsense going back to like 1 ;)

                    Your saying it lets you log in with public key, and then you go to login again and it doesn't? Do a ssh -vvv when you attempt to login.. what do you get? Or what does the pfsense log say about it after you can not login.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 1
                    • A
                      automate
                      last edited by

                      LOTS of output hahah!

                      nsautomate@ihp:/etc/openhab2/rules$ sudo -u openhab ssh -vvv nsautomate@192.168.1.254 'sudo shutdown -h now'
                      OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
                      debug1: Reading configuration data /etc/ssh/ssh_config
                      debug1: /etc/ssh/ssh_config line 19: Applying options for *
                      debug2: resolving "192.168.1.254" port 22
                      debug2: ssh_connect_direct: needpriv 0
                      debug1: Connecting to 192.168.1.254 [192.168.1.254] port 22.
                      debug1: Connection established.
                      debug1: key_load_public: No such file or directory
                      debug1: identity file /var/lib/openhab2/.ssh/id_rsa type -1
                      debug1: key_load_public: No such file or directory
                      debug1: identity file /var/lib/openhab2/.ssh/id_rsa-cert type -1
                      debug1: key_load_public: No such file or directory
                      debug1: identity file /var/lib/openhab2/.ssh/id_dsa type -1
                      debug1: key_load_public: No such file or directory
                      debug1: identity file /var/lib/openhab2/.ssh/id_dsa-cert type -1
                      debug1: key_load_public: No such file or directory
                      debug1: identity file /var/lib/openhab2/.ssh/id_ecdsa type -1
                      debug1: key_load_public: No such file or directory
                      debug1: identity file /var/lib/openhab2/.ssh/id_ecdsa-cert type -1
                      debug1: key_load_public: No such file or directory
                      debug1: identity file /var/lib/openhab2/.ssh/id_ed25519 type -1
                      debug1: key_load_public: No such file or directory
                      debug1: identity file /var/lib/openhab2/.ssh/id_ed25519-cert type -1
                      debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
                      debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5
                      debug1: match: OpenSSH_7.5 pat OpenSSH* compat 0x04000000
                      debug2: fd 3 setting O_NONBLOCK
                      debug1: Authenticating to 192.168.1.254:22 as 'nsautomate'
                      debug3: hostkeys_foreach: reading file "/var/lib/openhab2/.ssh/known_hosts"
                      debug3: record_hostkey: found key type ED25519 in file /var/lib/openhab2/.ssh/known_hosts:1
                      debug3: load_hostkeys: loaded 1 keys from 192.168.1.254
                      debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
                      debug3: send packet: type 20
                      debug1: SSH2_MSG_KEXINIT sent
                      debug3: receive packet: type 20
                      debug1: SSH2_MSG_KEXINIT received
                      debug2: local client KEXINIT proposal
                      debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
                      debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
                      debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
                      debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
                      debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
                      debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
                      debug2: compression ctos: none,zlib@openssh.com,zlib
                      debug2: compression stoc: none,zlib@openssh.com,zlib
                      debug2: languages ctos:
                      debug2: languages stoc:
                      debug2: first_kex_follows 0
                      debug2: reserved 0
                      debug2: peer server KEXINIT proposal
                      debug2: KEX algorithms: curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
                      debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-ed25519
                      debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
                      debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
                      debug2: MACs ctos: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
                      debug2: MACs stoc: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
                      debug2: compression ctos: none,zlib@openssh.com
                      debug2: compression stoc: none,zlib@openssh.com
                      debug2: languages ctos:
                      debug2: languages stoc:
                      debug2: first_kex_follows 0
                      debug2: reserved 0
                      debug1: kex: algorithm: curve25519-sha256@libssh.org
                      debug1: kex: host key algorithm: ssh-ed25519
                      debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
                      debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
                      debug3: send packet: type 30
                      debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
                      debug3: receive packet: type 31
                      debug1: Server host key: ssh-ed25519 SHA256:4RCz4gQY4LJRdlMC2Y1ix0IqQp1zR/pQEo8gkSXC0sw
                      debug3: hostkeys_foreach: reading file "/var/lib/openhab2/.ssh/known_hosts"
                      debug3: record_hostkey: found key type ED25519 in file /var/lib/openhab2/.ssh/known_hosts:1
                      debug3: load_hostkeys: loaded 1 keys from 192.168.1.254
                      debug1: Host '192.168.1.254' is known and matches the ED25519 host key.
                      debug1: Found key in /var/lib/openhab2/.ssh/known_hosts:1
                      debug3: send packet: type 21
                      debug2: set_newkeys: mode 1
                      debug1: rekey after 134217728 blocks
                      debug1: SSH2_MSG_NEWKEYS sent
                      debug1: expecting SSH2_MSG_NEWKEYS
                      debug3: receive packet: type 21
                      debug1: SSH2_MSG_NEWKEYS received
                      debug2: set_newkeys: mode 0
                      debug1: rekey after 134217728 blocks
                      debug2: key: /var/lib/openhab2/.ssh/id_rsa ((nil))
                      debug2: key: /var/lib/openhab2/.ssh/id_dsa ((nil))
                      debug2: key: /var/lib/openhab2/.ssh/id_ecdsa ((nil))
                      debug2: key: /var/lib/openhab2/.ssh/id_ed25519 ((nil))
                      debug3: send packet: type 5
                      debug3: receive packet: type 7
                      debug1: SSH2_MSG_EXT_INFO received
                      debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
                      debug3: receive packet: type 6
                      debug2: service_accept: ssh-userauth
                      debug1: SSH2_MSG_SERVICE_ACCEPT received
                      debug3: send packet: type 50
                      debug3: receive packet: type 51
                      debug1: Authentications that can continue: publickey,password,keyboard-interactive
                      debug3: start over, passed a different list publickey,password,keyboard-interactive
                      debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
                      debug3: authmethod_lookup publickey
                      debug3: remaining preferred: keyboard-interactive,password
                      debug3: authmethod_is_enabled publickey
                      debug1: Next authentication method: publickey
                      debug1: Trying private key: /var/lib/openhab2/.ssh/id_rsa
                      debug3: no such identity: /var/lib/openhab2/.ssh/id_rsa: No such file or directory
                      debug1: Trying private key: /var/lib/openhab2/.ssh/id_dsa
                      debug3: no such identity: /var/lib/openhab2/.ssh/id_dsa: No such file or directory
                      debug1: Trying private key: /var/lib/openhab2/.ssh/id_ecdsa
                      debug3: no such identity: /var/lib/openhab2/.ssh/id_ecdsa: No such file or directory
                      debug1: Trying private key: /var/lib/openhab2/.ssh/id_ed25519
                      debug3: no such identity: /var/lib/openhab2/.ssh/id_ed25519: No such file or directory
                      debug2: we did not send a packet, disable method
                      debug3: authmethod_lookup keyboard-interactive
                      debug3: remaining preferred: password
                      debug3: authmethod_is_enabled keyboard-interactive
                      debug1: Next authentication method: keyboard-interactive
                      debug2: userauth_kbdint
                      debug3: send packet: type 50
                      debug2: we sent a keyboard-interactive packet, wait for reply
                      debug3: receive packet: type 60
                      debug2: input_userauth_info_req
                      debug2: input_userauth_info_req: num_prompts 1
                      
                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        @automate said in driving me mental, remote login to pfsense CLI to shutdown:

                        debug1: Next authentication method: publickey
                        debug1: Trying private key: /var/lib/openhab2/.ssh/id_rsa
                        debug3: no such identity: /var/lib/openhab2/.ssh/id_rsa: No such file or directory
                        debug1: Trying private key: /var/lib/openhab2/.ssh/id_dsa
                        debug3: no such identity: /var/lib/openhab2/.ssh/id_dsa: No such file or directory
                        debug1: Trying private key: /var/lib/openhab2/.ssh/id_ecdsa
                        debug3: no such identity: /var/lib/openhab2/.ssh/id_ecdsa: No such file or directory
                        debug1: Trying private key: /var/lib/openhab2/.ssh/id_ed25519
                        debug3: no such identity: /var/lib/openhab2/.ssh/id_ed25519: No such file or directory
                        debug2: we did not send a packet, disable method

                        Well your not sending your public key - so yeah going to fail!

                        debug1: Offering public key: /home/johnpoz/.ssh/id_ed25519 ED25519 SHA256:y1pJFK<snipped>
                        debug3: send packet: type 50
                        debug2: we sent a publickey packet, wait for reply
                        debug3: receive packet: type 60
                        debug1: Server accepts key: /home/johnpoz/.ssh/id_ed25519 ED25519 SHA256:y1pJF<snipped>
                        debug3: sign_and_send_pubkey: ED25519 SHA256:y1pJFKtYk+f2<snipped>
                        debug3: sign_and_send_pubkey: signing using ssh-ed25519
                        debug3: send packet: type 50
                        debug3: receive packet: type 52
                        debug1: Authentication succeeded (publickey).
                        Authenticated to sg4860.local.lan ([192.168.9.253]:22).
                        

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • A
                          automate
                          last edited by

                          scratching head

                          Im not sure what im doing wrong. Can you point me to some kind of tutorial john to do that? I was under the impression i was

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by johnpoz

                            If your environment doesn't auto find the key to send, then you would have to call it out in your cmd line for ssh.

                            btw: you don't need to send that direct command, you can just run /etc/rc.halt

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • A
                              automate
                              last edited by

                              I followed this:

                              https://www.tecmint.com/ssh-passwordless-login-using-ssh-keygen-in-5-easy-steps/

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by johnpoz

                                Yeah those guides tell you how to set it up, no need for me to even read it - but your ssh client has to know where the key it is to use.. See how it pulls my key from my home dir..

                                Setup your local environment to use the key(s) you want.. Be it windows or linux... Im running openssh client on windows..

                                There is a .ssh dir in c:\users\username - this is where you keys would normally go

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • A
                                  automate
                                  last edited by

                                  Thats not going to work.

                                  This is a non interactive setup, what happens is my linux machine (with openhab) runs a script which executes this command as the 'nsautomate' user.

                                  Theres no ability for me to specify keys etc, because its not occuring like that.

                                  What im doing right now is simply 'testing' the command via a shell, but the end state is the openhab user will run this command

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    Well its going to have to be able to send the key, or how would it possible to auth..

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      automate
                                      last edited by automate

                                      i thought the keys were saved using the link i mentioned above to the local and remote machine, so when it logs in, its there. That was the whole point.

                                      I used the ssh copy etc

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by johnpoz

                                        I think you should research how public key auths.. Yes there is part on the server that you saved on pfsense, but the client has to send the other part to actually auth.

                                        Running this on linux you can call out in the path directly or the envirnoment of the user running ssh would have it in their path.. You can see when you ran the script where it looked for the key.. Place your private side there.

                                        when you ran the cmd it was looking here for keys it could send
                                        Trying private key: /var/lib/openhab2

                                        yeah when you created the keys, sure you saved it somewhere - but it has to be specified where it is and its name in the cmd you run, or the enviornment of the system needs to know where to find it, ie your /var/lib/openhab2 dir is where it was looking for the keys it could send because you didn't call it out in the cmd.

                                        -i would call out path/file to use to auth with from the cmd line with ssh

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        A 1 Reply Last reply Reply Quote 0
                                        • A
                                          automate @johnpoz
                                          last edited by

                                          @johnpoz OK, so i copied the key to that directory and the same issue persists.

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            And your sending the key - what does -vvv show you for the process

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.