How do you create keys for SSH in Hass.IO and where do you put them?

Ok, I’ve modified prova.sh pointing to right bash.
Then insert in configuration.yaml log script, then restart (as always).
Then go to Service and call shell_command.harmonize service, start.
Log…

020-12-14 22:16:39 DEBUG (MainThread) [homeassistant.components.shell_command] Stdout of command: ssh -i /config/myssh/chiavi -o StrictHostKeyChecking=no [email protected] -tt '/home/pi/prova.sh', return code: 0:
b’CIAO\r\n’

2020-12-14 22:16:39 DEBUG (MainThread) [homeassistant.components.shell_command] Stderr of command: ssh -i /config/myssh/chiavi -o StrictHostKeyChecking=no [email protected] -tt '/home/pi/prova.sh', return code: 0:
b’Connection to 192.168.1.41 closed.\r\n’

:tada: It works. My job is done. :wink:

That is, now we know that the SSH thingy is fully functional. You are successfully running commands on your raspberry through HA.

Next step for you is to check the script you’re calling. Start with the path to it and all paths in it. Make sure all executables are being called by absolute paths. Keep debug log active for shell commands while you’re testing. Revert back to running harmonize.py; restart HA. Start making incremental changes in harmonize.py itself, and check the output in HA logs after each run, specifically what follows after return code (as above, where you found CIAO).

Good luck!

1 Like

Thank you so much Krissen!!!
You’re absolutely great!!!
I owe you one

1 Like

So I skimmed this thread a bit as its kind of long but judging by the last post at the bottom it looks like you have figured out you need to move the keys out of the normal .ssh folder and within /config in order to have them persisted across updates of HA.

However I see you are using -o StrictHostKeyChecking=no. Since this is between local systems on your network that’s probably ok but if you would like to stop doing that there is a fix. The ssh command also allows you to provide a custom location for the known_hosts file. This way you can move that file inside /config as well and have that file also persist across updates. You can also get it set up correctly the first time by either manually SSH’ing directly from the HA container’s commandline using the Portainer add-on on just by copying and pasting the correct things into your custom known_hosts file.

I had to figure this out in order to get my HA displaying a count of packages that needed to be updated on its host. I put the details in here (a lot of it is not relevant to the task at hand I know but it also talks about how to do the known_hosts stuff). With both the custom location for known_hosts and keys the final SSH command ends up looking something like this:

ssh -o UserKnownHostsFile=/config/.ssh/known_hosts <INSERT HOST USERNAME>@<INSERT HOST ADDRESS> -i /config/.ssh/id_ed25519 '<insert command here>'
3 Likes

Great! Thanks, will check out using -o UserKnownHostsFile=myhostfile instead of -o StrictHostKeyChecking=no. :+1:

I could add that personally, I have a dedicated user set up for the purposes of SSH:ing out of HA and executing commands on my external box. Only specific commands are allowed, and the user otherwise has restricted permissions.

1 Like

This seems like a pretty knowledgeable thread on this niche topic so is it OK if I reference my recent tangential question here that’s stale? Thank you! Feel free to delete if not…

Hi David
I am trying to use the directions:

https://developers.home-assistant.io/docs/operating-system/debugging/#generating-ssh-keys

to connect to Home Assistant via port 22222 to troubleshoot my OS issue (above 5.2 not working on my pi4 ssd boot)
I used the putty gen software and am confused about the file created. I have copied the public key into notpad ++ with Ansi, unix settings. After coping there is not a (LF) at the end of the key. Should there be. Also is anything needed at the start of the key. I get to the screen with the login and I hit enter (not sure if this is correct as the directions in the docs do not say. After hitting enter I get Server refused our key, no supported authentication methods available. If you have used this maybe you can give me some insight on what I am doing wrong.
Thanks.

Hi,

I tested your solution and it’s not working.

I do have 2 AP (Pro and LR) with fw 4.3.28.11361.

This is the code in HA:

shell_command:
  unifilr_led_off: >-
    ssh -i /config/unifissh [email protected] "echo '0' >/proc/gpio/led_pattern"
  unifilr_led_blue: >-
    ssh -i /config/unifissh [email protected] "echo '1' >/proc/gpio/led_pattern"
  unifilr_led_white: >-
    ssh -i /config/unifissh [email protected] "echo '2' >/proc/gpio/led_pattern"
  unifilr_led_whiteblue: >-
    ssh -i /config/unifissh [email protected] "echo '3' >/proc/gpio/led_pattern"
  unifipro_led_off: >-
    ssh -i /config/unifissh [email protected] "echo '0' >/proc/gpio/led_pattern"
  unifipro_led_blue: >-
    ssh -i /config/unifissh [email protected] "echo '1' >/proc/gpio/led_pattern"
  unifipro_led_white: >-
    ssh -i /config/unifissh [email protected] "echo '2' >/proc/gpio/led_pattern"
  unifipro_led_whiteblue: >-
    ssh -i /config/unifissh [email protected] "echo '3' >/proc/gpio/led_pattern"

I created a private key with PuttyGen and put it in config folder with name unifissh.ppk

I copied the content of the key in Unifi AP via Unifi Controller

System Settings - Controller Configuration - Device SSH Authentication - creating a new ssh key called UnifiHA with the pasted code.

Then I used SSH addon to connect to both AP at least one time.

Can someone please support me?

Thank you in advance

This is the error I found in the log

Logger: homeassistant.components.shell_command
Source: /usr/src/homeassistant/homeassistant/components/shell_command/init.py:113
Integration: Shell Command (documentation, issues)
First occurred: 16:12:02 (1 occurrences)
Last logged: 16:12:02

Error running command: ssh [email protected] "echo '0' >/proc/gpio/led_pattern", return code: 255

NoneType: None

Kind of a whole different topic but if you haven’t solved this yet you should check out the HassOS SSH port 22222 Configurator addon.

So why are you using /config/unifissh in the command then? You called the file unifissh.ppk. Also you need two files, a private and public key. And the public key has to be in the same folder with the same name except .pub on the end.

Also you skipped all the instructions above about the known hosts file. Without that its still not going to work even after you get the keys right.

I would suggest giving the below community guide a read as it goes through all these details. Including ways to test directly from the commandline without needing to restart HA between every test.

1 Like

Thanks. Got it working. This seems much easier.

I followed instruction and now I have .ssh .ssh.pub and know_hosts in my config folder.

I can run commands from the addon (even if I always add to put manually password ) Maybe I miss still something?

Can you share the command you’re running and the error you’re seeing in the log after making those updates?

sure.

Here’s the full command that works inside terminal addon :

ssh [email protected] "echo '1' >/proc/gpio/led_pattern"

The shell command in my yaml is the following:

  unifilr_led_blue: >-
    ssh [email protected] "echo '1' >/proc/gpio/led_pattern"

This is full error log:

Logger: homeassistant.components.shell_command
Source: /usr/src/homeassistant/homeassistant/components/shell_command/init.py:112
Integration: Shell Command (documentation, issues)
First occurred: 11 aprile 2021, 23:56:12 (3 occurrences)
Last logged: 0:35:30

Error running command: ssh [email protected] "echo '1' >/proc/gpio/led_pattern", return code: 255

NoneType: None

You aren’t telling it the key to use for authentication with -i so its using normal interactive authentication and asking for a password. You said you had a .ssh folder and named the key .ssh.pub right? So should be this then:

ssh -i /config/.ssh/.ssh.pub [email protected] "echo '1' >/proc/gpio/led_pattern"

my ssh.pub is in config (not a specific .ssh folder).

I changed command and tested within addon.

ssh -i /config/.ssh.pub [email protected] “echo ‘0’ >/proc/gpio/led_pattern”

Here’s the result (sorry I can’t past the text):

image

I tried changing permission to 600 or 400 but I receive an error

Load key “/config/.ssh.pub”: invalid format

Sorry wait I’m being dumb, you need to provide the path to the private key file. The public key needs to be in the same folder with the same name except .pub on the end. Assuming you did that and your private key is at /config/.ssh change the command to this:

ssh -i /config/.ssh [email protected] “echo ‘0’ >/proc/gpio/led_pattern”

644 is fine for a public key, not for a private key. If you ran through the normal keygen process then permissions should be set up correctly, just have to provide the right path.

1 Like

EUREKA!

It worked!

Thank you! :slight_smile:

1 Like

hey, it’s me again.

It’s possible that even if .ssh and know_hosts files are in /config something got broker after HA update?

I had to redo the know_hosts part inside docker bash to be able again to use shell_commands.

Known hosts isn’t in /config. You’re not telling it to put it somewhere else so it is in the normal place - ~/.ssh/known_hosts. Which means it won’t survive updates.

In the guide I linked earlier it mentions how to move known_hosts into /config to ensure it persists from release to release. Add this to your command: -o UserKnownHostsFile=/config/.ssh/known_hosts.