How do you create keys for SSH in Hass.IO and where do you put them?

Hey not sure if this is still an issue for you, but here is what works for me on hass.io

command_off: “/usr/bin/ssh -i /config/ssh/id_rsa -o StrictHostKeyChecking=no [email protected] ‘python3 /path/to/hello.py’”

1 Like

Sorry for reviving a old thread, but it’s just what I’m looking for.

How did you get /config/ssh to be persistent? Or is /config/ssh a link to somewhere else, like /config/certs or some such?

(Have moved from hassbian to hassos and hassio, and trying to get some old functionality back, like ssh into another box from, now, hassio.)

I believe the add on ssh has created config/.ssh with known_hosts and authorized_keys but no actual keys.

I believe the add on git pull has created a subfolder, config/.ssh/.ssh (ie. the second .ssh subfolder), and this one actually contains ssh keys.

What I’m currently doing, is cp /config/.ssh/.ssh/id_mykey /config/.ssh and it works, but seems a bit of a chore to do on every reboot?

Also, on a perhaps related note, how can I get my .gitconfig to be persistent!? (Yes, as you can see I’m still struggling with this whole container -philosophy. But getting there, slowly, bit by bit. I think.)

With hassio you use the ssh addon and you configure the authorised key in the config for the addon… you don’t move it or copy it anywhere else.

As OP was saying, the ssh addon sets everything up for ssh:ing into hassio, yes. But it doesn’t cover ssh:ing out from hassio. Or at least has not so far. (In the addon’s config, you add the public key that goes into authorized_keys. Ie. what’s allowed in.)

EDIT: Seems the addon SSH & Web terminal might be what I’m looking for! (Both for gitconfig, ssh keys, and zsh. (I don’t get why the stock ssh addon adds a tmux.conf:ig that sets shell to zsh without actually including zsh? Seems like a bug, but I don’t know enough about hassio yet to be certain enough to file it.))

Did you get this to work? Generating a ssh key for traffic going OUT of hassio?

Yes, using the SSH & Web terminal addon instead of the SSH addon.

Keys generated (~/.ssh/) are persistent. Can be used for the workflow SSH into Hass.io -> SSH out of Hass.io.

However, if you need to have outbound ssh access from within a script or some such, the solution I’ve ended up with is to have a separate SSH key somewhere under config/.

Thanks for the reply. And sorry for the next “stupid” question.
I have now installed the add-on, but it wont start. I guess it’s because I need to have some content between the [ ] following “authorized_keys”. How do I generate this key?

Follow the addon’s instructions. Yes, you’re right; you need to configure what used, with what key, that is allowed to ssh into hass.io.

The key that is asked for, is what would normally be in the .ssh/authorized_keys file, so to say. That is, the public key of the key you’d use to ssh into hass.io.

So sorry, but I still struggle finding any information on how I generate the information to put between the [ ]. What program or tool should I use to generate this content?

Use puttygen

If you want to read up on SSH keys in general, here’s some information; here you can find information on how to generate a ssh key pair from the console (using ssh-keygen). If you’re on Windows and would prefer a GUI here’s a tutorial for using Putty and Puttygen, that @DavidFW1960 suggested.

All of the pages linked to above refer to a key pair. A private and a public. The “authorized_keys” referred to in the addon’s instructions is the public key. So generate a key pair, and paste the (content of the) public key (id_rsa.pub, for instance; file extension .pub for public) inside the brackets as shown in the instruction example.

Hi, Thanks to your help I have finally reached some level of success, as I have now generated and exchanged key with the remote rpi, and can log into the remote rpi from the terminal under hassio, without being prompted for password. Yes!!

Next thing is to have my HA script working. I have created the following in my configuration.yaml:
shell_command:
…turn_off_touchscreen: “ssh [email protected] ‘vcgencmd display_power 0’”
…turn_on_touchscreen: “ssh [email protected] ‘vcgencmd display_power 1’”

And have the following in my script.yaml:
touchscreen_off:
…alias: “touchscreen off”
…sequence:
…- service: shell_command.turn_off_touchscreen

touchscreen_on:
…alias: “touchscreen on”
…sequence:
…- service: shell_command.turn_on_touchscreen

When I run either of theese scripts, nothing happens on the remote rpi. If I simply type the commands directly into the terminal on HA (i.e. ssh [email protected] ‘vcgencmd display_power 0’), it works fine. Can you see what I have done wrong. I get no errors when I run the Configuration validation

1 Like

Some level of success – well done! :smiley:

The issue you’re raising is, however, a different one than what you asked before. Indeed, it is what I was referring to above, when I said that if you need outbound access from within a script or some such, the solution I’ve ended up with is to have a separate SSH key somewhere under config/.

I might have gotten something wrong, as I’m still getting used to the whole docker philosophy of hass.io (as opposed to hassbian etc.), so there might be better ways to accomplish what you’re asking for. I ended up having a separate, passwordless SSH-key stored in config/mypath (ie. a subdirectory mypath in the same directory where all the home assistant configuration files are) used specifically by HA scripts. So the key file might, for instance, be called config/mypath/id_rsa (and there would be a corresponding config/mypath/id_rsa.pub as well). Obviously, I’d have to add the public key to the authorized_keys -file in the computer I want to SSH into from hass.io.

If I would want to call the command vcgencmd display_power 0 as user username on a secondary computer available on my local network at the address 192.168.1.26, I would have the following in my HA-script:

ssh -i /config/mypath/id_rsa -o StrictHostKeyChecking=no [email protected] -t 'vcgencmd display_power 0'

So -i /config/mypath/id_rsa for accessing the passwordless SSH-key I discussed earlier. Adapt to your path. -o StrictHostKeyChecking=no to – you guessed it – disable strict checking of host key. Unadvisable in normal circumstances, but necessary in this case. You also need -t 'vcgencmd display_power 0' to tell SSH you do not want to login into a shell, but simply execute command vcgencmd display_power 0 and exit.

(I’ve myself made a separate user username for the specific use of HA scripts on a secondary computer. On said secondary computer, I’ve restricted available commands for username. Whereas I have the SSH connection we initially discussed for proper logins (from hass.io to the secondary computer).

6 Likes

Bingo. Now it’s working. Thank you for your patience with me :slight_smile: :grinning:

1 Like

Glad to hear you got it working! :+1:

He wants to SSH into a remote server from his Hassio server. The SSH add-on is not the same thing, it runs its own users.

1 Like

Thank you for this! I use the Shopping List integration and now I can print my shopping list from a button or automation which calls my shell_command.print_shopping_list_txt.

shell_command:
  write_shopping_list_txt: jq '.[] | .name' -r ./.shopping_list.json > ./shopping_list.txt
  print_shopping_list_txt: jq '.[] | .name' -r ./.shopping_list.json > ./shopping_list.txt && ssh -i ./.ssh/id_rsa [email protected] -t 'cd / && lpr -P MFC495CW /home/ha/homeassistant/homeassistant/shopping_list.txt'

I just started fiddling with Hassio about four months ago having zero experience with linux, docker, python, yaml, or pretty much any of what it is built on. So, for me this was a decent accomplishment with your help. Maybe a simpler way to do this with a python script, but none that I can see which don’t use imports. One thing I am still unsure of is why I can run this from my configuration.yaml, but when I try it in a .sh file, it doesn’t work.

1 Like

Just FYI, the link to the addon’s instructions you gave does not answer the question of how to generate the key. It simply says,
" 2. Configure the username and password / authorized_keys options."

I am struggling with this right now as well.

  • I installed the ssh add-on from the HA store
  • I found somewhere (though NOT on the ssh add-on instructions) how to generate a new public private key set. I used no password–this is a home and personal education implementation.
  • I put the public key into the HA ssh configuration thusly: (Note: this editor doesn’t display indents properly)

Configuration

1 authorized_keys:
2 - >-
3 ssh-rsa
4 AAAAB3NzaC …(snip)… RsmIE=
5 root@core-ssh
6 password: ‘’
7 server:
8 tcp_forwarding: false

  • I’ve set the network host = 22

  • I then tried to login to HA using from an ssh on my Linux laptop (on which I’m typing now) by typing “ssh [email protected]” (I’ve set HA’s IP address to be fixed at .200). In return I get “Permission denied (publickey,keyboard-interactive).”

  • I read further, in troubleshooting, that in order for this to work I must have the key (the private one? the public one?) on this Linux laptop as well.

  1. Which key do I need, and where do I put it?
  2. How do I get it from HA to my linux box? (I seem to have lost where those key files are located in the HA subdirectory structure, and there’s no simple answer out there as to where to find them.)

Thanks for any direction.
Cheers.

I hope you were able to move ahead, if not maybe this will help you:

  1. you place the public key (contents of id_rsa.pub) in the authorized_keys file in the host (let’s call it host1) that you want to login to (e.g. /home/your_user/.ssh/authorized_keys).
    By doing this, you tell this host1 that your_user will accept the private key which is pair of this authorized public key.

  2. you put the private key (this is the actual key that you hold “in your hand” - the id_rsa file) in a safe path of your_user@host2 (e.g. /home/your_user/.ssh/id_rsa). While you are logged as your_user@host2, if you try to ssh your_user@host1, it will allow passwordless ssh login to your_user@host1, from your_user@host2

Now applying the above to your scenario, if i understood correctly:

You already defined the authorized_keys in the configuration of hassio ssh addon (you put there the public key), now you’ll want to place your private key in your user@laptop so that it will be used to login passwordless from your user@laptop to your hassio 10.0.0.200.

1 Like

Thank you very much for your response.

I’ll admit that–after reading a ton–I finally got my head around what needed to happen. I generated the keys then placed the pub-key into the config of the SSH addon in Home Assistant and I’m able ssh into home assistant.

Again, thanks for your post.

1 Like