Shutdown via command script / Sudoers question

This is a way. It is NOT the only way.

Google "passwordles ssh"

Setup your account for passwordless ssh logins.

Now take the ~/.ssh/id_*.pub file and put the file's contents into the 'root's /var/root/.ssh/authorized_keys file (you will need to use sudo to make this change).

The id_*.pub file will most likely be id_rsa.pub or id_dsa.pub, but it could be slightly different.

Now you can

ssh root@localhost shutdown -h now

and you will not need a password.

NOTE: Make sure that your id_* (not the .pub file), which is your private key NEVER leaves your control and copies are not made where someone else can get a hold of it. If someone else gets your id_* file, they can login to your system with out a password.

NOTE 2: There are ways to put a passphrase on your ssh keys, and store them in your keychian. Google: "ssh passphrase in keychain". This would be more secure than no passphrase, but you still have to keep control of your keychain file. It is always something 🙂

Because ssh gives you the ability to create ssh-keys that allow logging into an account WITHOUT a password, and one of the accounts can be 'root' which is exactly what sudo is doing for you, and you do not need to expose your password in plain text stored in a file that anyone that gains access to your system or a backup of your system can read.

But if you want expose your password, you could try the sudo -S option.

ssh allows you to login to another account.

'localhost' is YOUR system

'root' is the account with ultimate privilege on your Mac. When you issue the sudo command you are exeucting the command as 'root'

so

ssh root@localhost some_command ....

will login to the root account, and execute the specified command as 'root'. The same as when you use sudo.

The Main advantage is that ssh can have private and public keys that allow you to login WITHOUT a password, were as sudo does NOT have this feature. ssh can be scripted, and if you have setup the public and private keys as suggested, then you will never be prompted for a password, and you will never need to store your password as plain text in a file. In fact you will not even need to update the ssh keys if you decide to change your login password, as the ssh keys are not tied to your login password.

Also putting your .pub key file contents into the root's .ssh/authorized_keys file does NOT require to enable root, but it will still work. So no one will be able to use or guess the password for the root account because it will never be enabled, but ssh into root via ssh-keys will still be possible (I use this trick for myself to perform backups using some Unix tools). Carbon Copy Cloner uses ssh keys to perform remote backups (another place I take advantage of ssh keys and root access).

Steev3 wrote:

So I just create a .command file that will then run the SSH command, and I take it that SSH doesn't necessarily mean I'm logging in to the box from another location.

Correct.

Also I might use an Automator created app using 'run shell script', instead of a .command file, but both will work.

Are you always using this script to shutdown? If that is the case it may make more sense to create a launchd job to create the nvram setting at shutdown. That way you just forget about it after setting it up. Stackoverflow has some posts on that topic.

I think there may be apps for it…

http://auto-mute.com/screenshots/

https://itunes.apple.com/us/app/sleepmute/id421822575?mt=12

Startninja & StartupSound.prefPane are others that are mentioned. I vaguely recall a different app so search around if you want to use a different approach, disabling SIP, tweaking sudoers, enabling ssh seems a bit overkill to me.

Personally I find setting the NVRAM variable once is enough to stick, perhaps that is a function of being on a desktop using multiple audio interfaces?