Today I wanted to go about fixing my Windows Small Business Server 2003 server, which is connected via APC UPS along with a Gentoo Linux box running my Asterisk PBX to send a shutdown command if the power goes out. I’m not rich (yet) so I’m not able to afford a fancy UPS. Instead the one I have only has one monitoring cable. So, I had to create a way to shut down the Linux box on power failure, while also shutting down the Windows box too. Minimal Data loss is always a good thing.
Here’s what I did, with some help from a buddy of mine who’d implemented this before but not documented it.
Now let’s add a shutdown user to the linux box.
# groupadd winshutdown # adduser -d /home/winshutdown -g users -G winshutdown -m -s /bin/bash winshutdown # passwd winshutdown New UNIX password: <password> Retype new UNIX password: <password> passwd: password updated successfully
Go over to your windows system, and download PuttyGen.exe. Put it in your c:LinuxShutdown directory and run it.
First Create your directory
Now, create a 1024 bit key by running puttygen.exe. Make sure it’s DSA.
Move your mouse around and then it should finish generating your new key.
Once it is finished, you need to copy out the dss key that goes into your authorized_keys file on the Linux server. Put this in a text file for now for safe keeping.
Note that you do not enter a passphrase to the key, otherwise when the script is activated it will ask for this password.
Now you save your private and public key under the actions menu.
Now you should have a private, and public key in the c:LinuxShutdown directory
Go to your Linux server and make the hostkey only able to run the shutdown command. We chose to halt, and then power down immediately.
<login as winshutdown> # cd .ssh # nano authorized_keys <paste contents of puttygen file we copied earlier> from="10.0.3.2",command="sudo /sbin/shutdown -h -P now" ssh-dss
Ensure that the user created above “winshutdown” has sudo abilities for shutdown.
# exit <back to root shell> # cd /etc # visudo
Your file should look like this to begin with
# User privilege specification
root ALL=(ALL) ALL
When finished it should look like this
# User privilege specification
root ALL=(ALL) ALL
winshutdown ALL = NOPASSWD: /sbin/shutdown
Go to your Windows Server LinuxShutdown folder with the private key, public key, plink.exe and puttygen.
In the same folder create a batch file. Right click in the folder and go down to new, text document. Save it as shutdown_asterisk.bat.
Edit the batch file, and it’s contents should look something like this. Modify appropriately for your key file name.
@plink -T winshutdown@10.0.2.10 -i sbs_private_key.ppk sudo /sbin/shutdown -h -P now
Test it by running the batch file. Your Linux server should shut down.
Set your alarm on low power to run your batch file.
First Go to Start -> Control Panel -> Power Options
Once you’re in your Power Options window. Select the Alarms tab.
Now we’ll want to look at the “Critical Battery Alarm” section, and click on the “Alarm Action” button. This should pop up a screen similar to the following.
Now we’ll need to go to the “Run a Program” section, and enable the “When the alarm occurs, run this program:” option.
This is where the magic happens. We’ll make this run our newly created batch file on battery alarm to shutdown the remote server. Enter in the path to your batch script in the new window that pops up.
Now you will just need to enter your Administrator password for your server in the little window that pops up.
Now Click Apply, Ok, Ok, Apply, Ok. You’re finished with this setup.
Backup all data.
Pull the plug on UPS and ensure it does everything it should (windows stays up for 3 minutes, then sends shutdown command, and both boxes shut down).
I hope you enjoyed this little tutorial, please let me know if it helped you in the comments below.
Comments
Comment by sridhar on 2008-02-27 02:30:05 -0500
nice one…. but all i get is connection refused 🙁
Comment by Matt G on 2008-02-27 04:34:23 -0500
hm, i’m not sure why this would be happening. can you provide more info of your logs?
Comment by networks on 2008-07-08 20:19:05 -0500
Great howto! Excellent functionality when you’ve got a couple of linux servers dependent on a ups that has its comms connected to a windoze box. On debian Etch I had to use ‘useradd’ instead of ‘adduser’, apart from that it all worked first go.
Keep up the good work!
Cheers
Comment by Dylan on 2008-09-13 12:07:56 -0500
Good guide and just what I needed. Personally I had problems with the public private keys. So I checked the commandline help of plink and found you can specify the password on the command line. Not as secure as whats detailed above, but still effective. Use
plink -T winshutdown@10.0.2.10 -pw sudo /sbin/shutdown -h -P now
Also, Im using fedora which has some additional defaults in the sudoers file. If your getting the error “sudo: sorry, you must have a tty to run sudo”
you need to comment out “Default requiretty” (put a “#” before it)
Comment by Dylan on 2008-09-13 12:09:03 -0500
Comment filter changed my code. heres the plink syntax again
plink -T winshutdown@10.0.2.10 -pw yourpasswordhere sudo /sbin/shutdown -h -P
Comment by ians on 2008-12-02 14:04:18 -0500
Thank you a lot, without your text I would never know where to start. Differencies from your tutorial and problems I’ve encountered:
- I had to use “useradd” instead of adduser
- When generating the public key to paste to authorized_keys, putty created as last “word” something like rsa-key-20081010. I’m not sure if that was the only reason for authentication failure but I had to put the user@machinename there instead of that word. So all in all I had to put the from=xx,command=xxx as the first thing in the line and then only ssh-rsa thebinaryencoding and then user@machine as the rest of the long line, everything separated by spaces (note that the order is different than what you published)
- Then I had to chmod 700 .ssh directory and chmod 600 authorized_keys
- I believe I had to edit the conf file of sshd to allow connection of the group winshutdown over ssh
- according to sshd man page, the end of the plink line (after the .ppk) can be anything, if the command inside of authorized_keys is recognized, and the command provided through the plink will be ignored.
Thanks again!
Comment by Ken Patel on 2009-03-10 00:42:47 -0500
Can anyone please post the exact order of the authorized_keys please
Comment by Humberto Sousa on 2009-10-08 06:39:14 -0500
Outstanding !…
Works perfectly from windows 2000 server to OpenSUSE 11.1 64
just change adduser to useradd …
Great Job!
Comment by Hugo Meza on 2010-03-15 02:02:24 -0500
THNKS A LOT!!
It works correctly in Windows 7 Pro and Ubuntu 8.04, of course I have to use useradd instead of adduser.
Greetings.
Comment by Cleiton on 2013-02-04 07:16:52 -0500
Very nice indeed.
Thank you