We have a Belkin SurgeMaster 500VA Battery Backup connected via usb to a windows 2000 server. The UPS is also providing power to our Linux (Karoshi http://www.karoshi.org.uk ) intranet and proxy/filtering server. I chose to setup the UPS monitor up through the 2000 box because, in all likely-hood, when I move on the next person may not know much about linux. Or even worse, a consultant comes in to charge extra $$ because their UPS is hooked up via linux. The drawback in working in a school is funds. A passing thought is I wonder where all the extra UK petrol tax is going since the price increases... Anyways, back to work.
After installing and setting up the 2000 server as the UPS monitor, I needed a way to safely shutdown the linux box. This was achieved by setting up an ssh tunnel using plink (A command-line version of PuTTy) and executing:
shutdown -h now
Sounds easy enough except our linux box authenticates everything through kerberos LDAP through a 2000 domain controller, so it wasn't a matter of setting up the batch file to login and shutdown, because groups aren't synched. In short, there was no easy/quick way to get either sudoer hooked in, or to enter a second password through a tty (Which is good security).
What was needed:
- sshd installed on the linux box
- a folder with NTFS permissions on the 2000 server, for this example we'll call the folder powerdown
- plink on the server monitoring the UPS (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)
- A batch file called upsShutdown.bat
- A plink.exe option file called linuxHalt.txt
Once we have the ssh server setup, try logging into the local machine as a client. If this isn't successful, you most likely have to start sshd by running the following as root:
/etc/init.d/sshd
If you still cannot login locally, it's time to go google and read the various man pages.
After downloading plink to the powerdown folder, open up a command prompt on the 2000 server (start, run, cmd). change directory to plink and attempt a login by typing:
C:/powerdown> plink linuxCompName -l username -pw ******
You should have a shell after accepting the prompt to accept the key. Now we know we can securely log in to our linux box from windows, yay! Go celebrate with caffiene or have a play around with your shell.
In order to shell in as root, we have to make a change in our sshd configuration file, located at /etc/ssh/sshd_config. Change PermitRootLogin no, to PermitRootLogin yes.
Because we want the shutdown to be fully automated, we need to produce a batch file that gets called by the UPS monitor. On the 2k server, pen up notepad and enter the following:
plink linuxBoxName -batch -l root -pw plaintextPassword!? -m linuxHalt.txt
Save the file as "upsShutdown.bat" and make sure to include the quotes. Otherwise the file will save as a text file.
The -batch option disables any confirmation messages. The -l option indicates who will log in. The -pw switch signals password.
Wait a minute! A plaintext file with our coveted root login details!?!? OBVIOUSLY, this is not best practice! The scenario here involves a need to login as root because the authentication scheme is only handling LDAP domain user accounts, not the local accounts on the linux box. If I had more time to spend on this I would come up with something better. With that said, if somebody has a simpler solution please let me know! Unfortunately, I don't have the time to implement the most secure solution. Whatever changes, screwups, or problems you have in your network or on your computers because of this information is ONLY your fault. Follow these instructions at your own risk/peril/busted/hacked network!
Of course, the powerdown folder being on an NTFS network, tighten your permissions to only allow SYSTEM, and whatever user your UPS monitor software runs as with Read and Execute only.
Remember, we need to have a way to pass commands once the terminal is open. This is done through the -m option in the batch file. It will open linuxHalt.txt and execute the commands in that file on the remote linux server. Our text file simply has the one line in it:
shutdown -h now
Save your changes.
Now, make sure you have any files open on your linuxbox saved and execute the batch file. This will simulate the UPS calling the powerdown script. You should see your linuxbox go down immediately. You can change out the now parameter with -t 5 which would make it shutdown in 5 minutes.
Finally, we ensure that our UPS software (Belkin in this case) executes the batch file by entering the full path to the batch script (ie c:\powerdown\batchscript.bat). If you have a test environment test it. If not, wait until after hours (duh) and test it live.
