How do you create keys for SSH in Hass.IO and where do you put them?

This is not to connect to Hass.IO but to connect from Hass.IO
I am trying to use the command line switch but cannot connect to a remote PI.
I guess it is the authentication?
I have seen something about using ‘ssh -i /config/cert/id_rsa’ but what do you put in ‘/config/cert’ and where do you get it from.
Is there any documentation?
Please help.

2 Likes

OK I have now logged into Hass.IO from my mac as root with ssh [email protected] and created an id_rsa and id_rsa.pub.
I have run ssh-copy-id [email protected] and this has updated the remote pi’s ‘authorized_keys’ file
I have copied id_rsa to /config/cert on Hass.IO
On the Hass.IO I can ssh to my remote pi without a password using ‘ssh [email protected]’ and it connects straight away. I can also run from Hass.IO ‘ssh [email protected] python3 hello.py’ and I get the response back ‘Hello’
All looks good.
But when I add the sensor in /config/configuration.yaml it will not run the comnand
command: ssh -i /config/cert/id_rsa [email protected] python3 hello.py
I have tried it with all forms of " and ’ surrounding it
command: ssh -i /config/cert/id_rsa [email protected] "python3 hello.py’’
command: ‘ssh -i /config/cert/id_rsa [email protected] python3 hello.py’
etc
still the same error
12:46 components/sensor/command_line.py (ERROR)
What else can I try. I must be missing something fundamental? This can’t be that difficult??? :slight_smile:

Follow these steps to create SSH keys using PuTTY

Hey not sure if this is still an issue for you, but here is what works for me on hass.io

command_off: “/usr/bin/ssh -i /config/ssh/id_rsa -o StrictHostKeyChecking=no [email protected] ‘python3 /path/to/hello.py’”

1 Like

Sorry for reviving a old thread, but it’s just what I’m looking for.

How did you get /config/ssh to be persistent? Or is /config/ssh a link to somewhere else, like /config/certs or some such?

(Have moved from hassbian to hassos and hassio, and trying to get some old functionality back, like ssh into another box from, now, hassio.)

I believe the add on ssh has created config/.ssh with known_hosts and authorized_keys but no actual keys.

I believe the add on git pull has created a subfolder, config/.ssh/.ssh (ie. the second .ssh subfolder), and this one actually contains ssh keys.

What I’m currently doing, is cp /config/.ssh/.ssh/id_mykey /config/.ssh and it works, but seems a bit of a chore to do on every reboot?

Also, on a perhaps related note, how can I get my .gitconfig to be persistent!? (Yes, as you can see I’m still struggling with this whole container -philosophy. But getting there, slowly, bit by bit. I think.)

With hassio you use the ssh addon and you configure the authorised key in the config for the addon… you don’t move it or copy it anywhere else.

As OP was saying, the ssh addon sets everything up for ssh:ing into hassio, yes. But it doesn’t cover ssh:ing out from hassio. Or at least has not so far. (In the addon’s config, you add the public key that goes into authorized_keys. Ie. what’s allowed in.)

EDIT: Seems the addon SSH & Web terminal might be what I’m looking for! (Both for gitconfig, ssh keys, and zsh. (I don’t get why the stock ssh addon adds a tmux.conf:ig that sets shell to zsh without actually including zsh? Seems like a bug, but I don’t know enough about hassio yet to be certain enough to file it.))

Did you get this to work? Generating a ssh key for traffic going OUT of hassio?

Yes, using the SSH & Web terminal addon instead of the SSH addon.

Keys generated (~/.ssh/) are persistent. Can be used for the workflow SSH into Hass.io -> SSH out of Hass.io.

However, if you need to have outbound ssh access from within a script or some such, the solution I’ve ended up with is to have a separate SSH key somewhere under config/.

Thanks for the reply. And sorry for the next “stupid” question.
I have now installed the add-on, but it wont start. I guess it’s because I need to have some content between the [ ] following “authorized_keys”. How do I generate this key?

Follow the addon’s instructions. Yes, you’re right; you need to configure what used, with what key, that is allowed to ssh into hass.io.

The key that is asked for, is what would normally be in the .ssh/authorized_keys file, so to say. That is, the public key of the key you’d use to ssh into hass.io.

So sorry, but I still struggle finding any information on how I generate the information to put between the [ ]. What program or tool should I use to generate this content?

Use puttygen

If you want to read up on SSH keys in general, here’s some information; here you can find information on how to generate a ssh key pair from the console (using ssh-keygen). If you’re on Windows and would prefer a GUI here’s a tutorial for using Putty and Puttygen, that @DavidFW1960 suggested.

All of the pages linked to above refer to a key pair. A private and a public. The “authorized_keys” referred to in the addon’s instructions is the public key. So generate a key pair, and paste the (content of the) public key (id_rsa.pub, for instance; file extension .pub for public) inside the brackets as shown in the instruction example.

Hi, Thanks to your help I have finally reached some level of success, as I have now generated and exchanged key with the remote rpi, and can log into the remote rpi from the terminal under hassio, without being prompted for password. Yes!!

Next thing is to have my HA script working. I have created the following in my configuration.yaml:
shell_command:
…turn_off_touchscreen: “ssh [email protected] ‘vcgencmd display_power 0’”
…turn_on_touchscreen: “ssh [email protected] ‘vcgencmd display_power 1’”

And have the following in my script.yaml:
touchscreen_off:
…alias: “touchscreen off”
…sequence:
…- service: shell_command.turn_off_touchscreen

touchscreen_on:
…alias: “touchscreen on”
…sequence:
…- service: shell_command.turn_on_touchscreen

When I run either of theese scripts, nothing happens on the remote rpi. If I simply type the commands directly into the terminal on HA (i.e. ssh [email protected] ‘vcgencmd display_power 0’), it works fine. Can you see what I have done wrong. I get no errors when I run the Configuration validation

1 Like

Some level of success – well done! :smiley:

The issue you’re raising is, however, a different one than what you asked before. Indeed, it is what I was referring to above, when I said that if you need outbound access from within a script or some such, the solution I’ve ended up with is to have a separate SSH key somewhere under config/.

I might have gotten something wrong, as I’m still getting used to the whole docker philosophy of hass.io (as opposed to hassbian etc.), so there might be better ways to accomplish what you’re asking for. I ended up having a separate, passwordless SSH-key stored in config/mypath (ie. a subdirectory mypath in the same directory where all the home assistant configuration files are) used specifically by HA scripts. So the key file might, for instance, be called config/mypath/id_rsa (and there would be a corresponding config/mypath/id_rsa.pub as well). Obviously, I’d have to add the public key to the authorized_keys -file in the computer I want to SSH into from hass.io.

If I would want to call the command vcgencmd display_power 0 as user username on a secondary computer available on my local network at the address 192.168.1.26, I would have the following in my HA-script:

ssh -i /config/mypath/id_rsa -o StrictHostKeyChecking=no [email protected] -t 'vcgencmd display_power 0'

So -i /config/mypath/id_rsa for accessing the passwordless SSH-key I discussed earlier. Adapt to your path. -o StrictHostKeyChecking=no to – you guessed it – disable strict checking of host key. Unadvisable in normal circumstances, but necessary in this case. You also need -t 'vcgencmd display_power 0' to tell SSH you do not want to login into a shell, but simply execute command vcgencmd display_power 0 and exit.

(I’ve myself made a separate user username for the specific use of HA scripts on a secondary computer. On said secondary computer, I’ve restricted available commands for username. Whereas I have the SSH connection we initially discussed for proper logins (from hass.io to the secondary computer).

6 Likes

Bingo. Now it’s working. Thank you for your patience with me :slight_smile: :grinning:

1 Like

Glad to hear you got it working! :+1:

He wants to SSH into a remote server from his Hassio server. The SSH add-on is not the same thing, it runs its own users.

1 Like

Thank you for this! I use the Shopping List integration and now I can print my shopping list from a button or automation which calls my shell_command.print_shopping_list_txt.

shell_command:
  write_shopping_list_txt: jq '.[] | .name' -r ./.shopping_list.json > ./shopping_list.txt
  print_shopping_list_txt: jq '.[] | .name' -r ./.shopping_list.json > ./shopping_list.txt && ssh -i ./.ssh/id_rsa [email protected] -t 'cd / && lpr -P MFC495CW /home/ha/homeassistant/homeassistant/shopping_list.txt'

I just started fiddling with Hassio about four months ago having zero experience with linux, docker, python, yaml, or pretty much any of what it is built on. So, for me this was a decent accomplishment with your help. Maybe a simpler way to do this with a python script, but none that I can see which don’t use imports. One thing I am still unsure of is why I can run this from my configuration.yaml, but when I try it in a .sh file, it doesn’t work.

1 Like