How do you create keys for SSH in Hass.IO and where do you put them?

Great! Thanks, will check out using -o UserKnownHostsFile=myhostfile instead of -o StrictHostKeyChecking=no. :+1:

I could add that personally, I have a dedicated user set up for the purposes of SSH:ing out of HA and executing commands on my external box. Only specific commands are allowed, and the user otherwise has restricted permissions.

1 Like

This seems like a pretty knowledgeable thread on this niche topic so is it OK if I reference my recent tangential question here that’s stale? Thank you! Feel free to delete if not…

Hi David
I am trying to use the directions:

https://developers.home-assistant.io/docs/operating-system/debugging/#generating-ssh-keys

to connect to Home Assistant via port 22222 to troubleshoot my OS issue (above 5.2 not working on my pi4 ssd boot)
I used the putty gen software and am confused about the file created. I have copied the public key into notpad ++ with Ansi, unix settings. After coping there is not a (LF) at the end of the key. Should there be. Also is anything needed at the start of the key. I get to the screen with the login and I hit enter (not sure if this is correct as the directions in the docs do not say. After hitting enter I get Server refused our key, no supported authentication methods available. If you have used this maybe you can give me some insight on what I am doing wrong.
Thanks.

Hi,

I tested your solution and it’s not working.

I do have 2 AP (Pro and LR) with fw 4.3.28.11361.

This is the code in HA:

shell_command:
  unifilr_led_off: >-
    ssh -i /config/unifissh [email protected] "echo '0' >/proc/gpio/led_pattern"
  unifilr_led_blue: >-
    ssh -i /config/unifissh [email protected] "echo '1' >/proc/gpio/led_pattern"
  unifilr_led_white: >-
    ssh -i /config/unifissh [email protected] "echo '2' >/proc/gpio/led_pattern"
  unifilr_led_whiteblue: >-
    ssh -i /config/unifissh [email protected] "echo '3' >/proc/gpio/led_pattern"
  unifipro_led_off: >-
    ssh -i /config/unifissh [email protected] "echo '0' >/proc/gpio/led_pattern"
  unifipro_led_blue: >-
    ssh -i /config/unifissh [email protected] "echo '1' >/proc/gpio/led_pattern"
  unifipro_led_white: >-
    ssh -i /config/unifissh [email protected] "echo '2' >/proc/gpio/led_pattern"
  unifipro_led_whiteblue: >-
    ssh -i /config/unifissh [email protected] "echo '3' >/proc/gpio/led_pattern"

I created a private key with PuttyGen and put it in config folder with name unifissh.ppk

I copied the content of the key in Unifi AP via Unifi Controller

System Settings - Controller Configuration - Device SSH Authentication - creating a new ssh key called UnifiHA with the pasted code.

Then I used SSH addon to connect to both AP at least one time.

Can someone please support me?

Thank you in advance

This is the error I found in the log

Logger: homeassistant.components.shell_command
Source: /usr/src/homeassistant/homeassistant/components/shell_command/init.py:113
Integration: Shell Command (documentation, issues)
First occurred: 16:12:02 (1 occurrences)
Last logged: 16:12:02

Error running command: ssh [email protected] "echo '0' >/proc/gpio/led_pattern", return code: 255

NoneType: None

Kind of a whole different topic but if you haven’t solved this yet you should check out the HassOS SSH port 22222 Configurator addon.

So why are you using /config/unifissh in the command then? You called the file unifissh.ppk. Also you need two files, a private and public key. And the public key has to be in the same folder with the same name except .pub on the end.

Also you skipped all the instructions above about the known hosts file. Without that its still not going to work even after you get the keys right.

I would suggest giving the below community guide a read as it goes through all these details. Including ways to test directly from the commandline without needing to restart HA between every test.

1 Like

Thanks. Got it working. This seems much easier.

I followed instruction and now I have .ssh .ssh.pub and know_hosts in my config folder.

I can run commands from the addon (even if I always add to put manually password ) Maybe I miss still something?

Can you share the command you’re running and the error you’re seeing in the log after making those updates?

sure.

Here’s the full command that works inside terminal addon :

ssh [email protected] "echo '1' >/proc/gpio/led_pattern"

The shell command in my yaml is the following:

  unifilr_led_blue: >-
    ssh [email protected] "echo '1' >/proc/gpio/led_pattern"

This is full error log:

Logger: homeassistant.components.shell_command
Source: /usr/src/homeassistant/homeassistant/components/shell_command/init.py:112
Integration: Shell Command (documentation, issues)
First occurred: 11 aprile 2021, 23:56:12 (3 occurrences)
Last logged: 0:35:30

Error running command: ssh [email protected] "echo '1' >/proc/gpio/led_pattern", return code: 255

NoneType: None

You aren’t telling it the key to use for authentication with -i so its using normal interactive authentication and asking for a password. You said you had a .ssh folder and named the key .ssh.pub right? So should be this then:

ssh -i /config/.ssh/.ssh.pub [email protected] "echo '1' >/proc/gpio/led_pattern"

my ssh.pub is in config (not a specific .ssh folder).

I changed command and tested within addon.

ssh -i /config/.ssh.pub [email protected] “echo ‘0’ >/proc/gpio/led_pattern”

Here’s the result (sorry I can’t past the text):

image

I tried changing permission to 600 or 400 but I receive an error

Load key “/config/.ssh.pub”: invalid format

Sorry wait I’m being dumb, you need to provide the path to the private key file. The public key needs to be in the same folder with the same name except .pub on the end. Assuming you did that and your private key is at /config/.ssh change the command to this:

ssh -i /config/.ssh [email protected] “echo ‘0’ >/proc/gpio/led_pattern”

644 is fine for a public key, not for a private key. If you ran through the normal keygen process then permissions should be set up correctly, just have to provide the right path.

1 Like

EUREKA!

It worked!

Thank you! :slight_smile:

1 Like

hey, it’s me again.

It’s possible that even if .ssh and know_hosts files are in /config something got broker after HA update?

I had to redo the know_hosts part inside docker bash to be able again to use shell_commands.

Known hosts isn’t in /config. You’re not telling it to put it somewhere else so it is in the normal place - ~/.ssh/known_hosts. Which means it won’t survive updates.

In the guide I linked earlier it mentions how to move known_hosts into /config to ensure it persists from release to release. Add this to your command: -o UserKnownHostsFile=/config/.ssh/known_hosts.

I did it the first time, and a known_hosts file already exist in my /config folder.

That’s why I was confused.

I had to redo

-o UserKnownHostsFile=/config/.ssh/known_hosts

in order to have the command starting again.

That command doesn’t permanently move your known hosts file, there’s no way to do that. It is an argument so it tells the SSH command that this one time it should look for the known_hosts file in this spot instead of the normal spot. You have to include that argument each time for every SSH command you run.

1 Like

ok I will change my shell_command from this

ssh -i /config/.ssh [email protected] "echo '0' >/proc/gpio/led_pattern"

to this

ssh -o UserKnownHostsFile=/config/known_hosts [email protected] -i /config/.ssh "echo '0' /proc/gpio/led_pattern"

right?

1 Like

Looks good although just be aware we were putting /config/.ssh/known_hosts before and you put /config/known_hosts there. Either one works you just have to run it once manually via the command line to get it set up and then keep using the same exact location for the known hosts file in each shell command and command line sensor after that.