Shutting down a firewall remotely via a password less script

Hi All

So im shutting down pfsense via a rule. I’ve installed the cron package on pfsense which allows a command to be run without a password, this works fine.

I also used the ssh key gen to setup pub/private keys, so ssh user@192.168.1.254 also works fine from openhab

My rule below fails though, ive tried many permutations without success. Any guidance would be great!


rule "Shutdown Firewall"
when
        Item shutdownfirewall changed to ON
then
        shutdownfirewall.postUpdate(OFF)
        Thread::sleep(100)
        executeCommandLine("sudo@ssh@user@192.168.1.254@sudo@/etc/rc.halt")
end

See if it has anything to tell you

var result = executeCommandLine("sudo ...")
logInfo("exectest"."results- " + result)

hi rossko57


09:06:40.920 [WARN ] [del.core.internal.ModelRepositoryImpl] - Configuration model 'system.rules' has errors, therefore ignoring it: [10,28]: no viable alternative at input '"results- "'
[10,48]: extraneous input ')' expecting 'end'

rule "Shutdown Firewall"
when
        Item shutdownfirewall changed to ON
then
        shutdownfirewall.postUpdate(OFF)
        Thread::sleep(100)
        executeCommandLine("ssh@nsautomate@192.168.1.254@'sudo@/etc/rc.halt'")
        var result = executeCommandLine("sudo ...")
        logInfo("exectest"."results- " + result)
end

And modified to this:

rule "Shutdown Firewall"
when
        Item shutdownfirewall changed to ON
then
        shutdownfirewall.postUpdate(OFF)
        Thread::sleep(100)
        var result = executeCommandLine("sudo ssh@nsautomate@192.168.1.254@'sudo@/etc/rc.halt'")
        logInfo("exectest", "results- " + result)
end

Doesnt print anything in the log though

If it doesn’t print anything, the rule is not running. You should at least see results -

What are the @ for, are they supposed to be @@ for space characters?

changed them to @@, same issue. prints nothing im afraid.

rule "Shutdown Firewall"
when
        Item shutdownfirewall changed to ON
then
        shutdownfirewall.postUpdate(OFF)
        Thread::sleep(100)
        var result = executeCommandLine("sudo ssh@@nsautomate@192.168.1.254@@sudo@@/etc/rc.halt")
        logInfo("exectest", "result-" + result)
end

Thanks, replied, same issue :frowning:

Have up set the sudo rights for User Openhab?

yes , under visudo
openhab ALL=(ALL) NOPASSWD: ALL

As said, that suggests your rule may not be running. Why not find out?

rule "Shutdown Firewall"
when
        Item shutdownfirewall changed to ON
then
      logInfo("exectest", "rule triggered")
...

Thinking on it, another possibility for failing to get to the other logInfo is that the script call never returns.
You should add a timeout to your call, so it cannot wait forever.

var result = executeCommandLine("sudo ... halt" , 5000)

This is always a good idea, in any circumstance.

thanks rossko, now I get this


19:54:19.089 [INFO ] [lipse.smarthome.model.script.exectest] - results- sudo: sorry, you must have a tty to run sudo

edit: turn of requiretty in the visudo has removed that error… still not working, but getting closer

I’ve no idea, but wanting a tty suggests to me that the underlying reason is that it wants a password.

which is odd given visudo is correct

You seem to have been around a lot of this area before. This is sort of related, regarding two sudo for different users.

Yeah this is different in that im executing a command as openhab, but logging in as another user. This is non interactive. Different to the example in the link youve posted

Why do you run the ssh command using sudo (sudo ssh ....)? There should be no need to do so. The ssh client is executed on your local openHab node, not on the pfsense node.

When generating the private/pub keys, were you logged in as user openhab?

Unless you run openHAB as user root (which you shouldn’t), this will not work. Normally, openHab will run as user openhab so you will need to generate the private/public key pair as user openhab (at least that is the easiest way to do it since they will then end up in the correct home directory). If your running openhabian, then the home directory for the openhab user is not /home/openhab/

The way works … because root has the ssh-keys & user openhab have access to sudo

I’m going to quote Rich here:

Anyone reading this who cannot ‘guess the rest’ should not follow the advise given in this thread. Anyone who can ‘guess the rest’ will understand that he/she should not follow the advise given in this thread.

I think marcel was correct to post that quote.

The whole idea of computer security is defense in depth. Why don’t we just run everything as root all the time? Why don’t we just log in as root instead of needing to sudo all the time? Why is there a a firewall on the host machine? Why are there file permissions?

It’s ALL to make it more difficult for an attacker to compromise a machine and to limit what they can do on a given machine if they are successful.

When you give the openhab user no password permission to run all commands, you may as well just run openHAB as root. When you run openHAB as root, if someone compromises the machine or compromises your account on myopenhab.org, they can literally do anything on your machine.

So no, the need to protect and limit what the openhab user can do is not limited to just those who expose their OH to the internet. That quote is applicable here as well as to the other thread. It’s a bad idea to give openHAB blanket sudo permissions. It’s a bad idea to run openHAB as root. And honestly, IMHO, it’s a bad idea to install and use the Exec binding. If I could, I’d disable the executeCommandLine Action too. Since I can’t, I rely on the Docker container to limit the damage that can be done should my openHAB get compromised.

1 Like