Just FYI, the link to the addon’s instructions you gave does not answer the question of how to generate the key. It simply says,
" 2. Configure the username and password / authorized_keys options."
I am struggling with this right now as well.
I installed the ssh add-on from the HA store
I found somewhere (though NOT on the ssh add-on instructions) how to generate a new public private key set. I used no password–this is a home and personal education implementation.
I put the public key into the HA ssh configuration thusly: (Note: this editor doesn’t display indents properly)
I then tried to login to HA using from an ssh on my Linux laptop (on which I’m typing now) by typing “ssh [email protected]” (I’ve set HA’s IP address to be fixed at .200). In return I get “Permission denied (publickey,keyboard-interactive).”
I read further, in troubleshooting, that in order for this to work I must have the key (the private one? the public one?) on this Linux laptop as well.
Which key do I need, and where do I put it?
How do I get it from HA to my linux box? (I seem to have lost where those key files are located in the HA subdirectory structure, and there’s no simple answer out there as to where to find them.)
I hope you were able to move ahead, if not maybe this will help you:
you place the public key (contents of id_rsa.pub) in the authorized_keys file in the host (let’s call it host1) that you want to login to (e.g. /home/your_user/.ssh/authorized_keys).
By doing this, you tell this host1 that your_user will accept the private key which is pair of this authorized public key.
you put the private key (this is the actual key that you hold “in your hand” - the id_rsa file) in a safe path of your_user@host2 (e.g. /home/your_user/.ssh/id_rsa). While you are logged as your_user@host2, if you try to ssh your_user@host1, it will allow passwordless ssh login to your_user@host1, from your_user@host2
Now applying the above to your scenario, if i understood correctly:
You already defined the authorized_keys in the configuration of hassio ssh addon (you put there the public key), now you’ll want to place your private key in your user@laptop so that it will be used to login passwordless from your user@laptop to your hassio 10.0.0.200.
I’ll admit that–after reading a ton–I finally got my head around what needed to happen. I generated the keys then placed the pub-key into the config of the SSH addon in Home Assistant and I’m able ssh into home assistant.
I found this post, and it seems your answer is useful for what I need.
Basically I have a python program on a directory of my raspberry (/HarmonizeProject/harmonize.py) that I would like to launch from my home assistant through a script.
I also installed the add-on you mention, but I can’t figure it out on how to configure it to do what I want. Would you help me? I have been banging between guides for 15 days but I can’t do it.
P.s. i currently have supervised home assistant installed in a docker of my raspberry.
Hi. I’m not sure how much help I can be, as I’ve later returned to a dockerized HA-installation without hassio and it’s addons.
There are several links in the chain, from expectation to execution so to say, that might be at fault. Some of the questions below might sound silly; apologies. I’m trying to ascertain which link is broken.
Is SSH on your raspberry working outside docker? Are you able to SSH in to your “bare raspberry” from elsewhere? With the same keys that are deployed within the HA addon?
Hi, first of all thanks for replying.
So, my problem at the moment I think is the creation of these blessed keys, to make sure that I can access my own raspi from the hassio docker without password requiring.
My questions will sound even more stupid (sorry but I’m a beginner).
I’ve installed SSH&Terminal, in configuration file it wants authorized_keys:
Do I have to create these keys myself, or is this add-on able to create them by itself ???
Great, now it’s clear where in the chain we need to start digging.
In short: for the specific scenario you describe, you wouldn’t need to enter anything under authorized_keys in the addon’s config, as you aren’t interested in ssh:ing into it, but rather out from it. You need to get the addon’s public key and use it to allow HA to ssh into your raspberry.
Longer: The scenario you described pursuing entails accessing the raspberry pie through SSH in order to run a script. This would involve two pairs of keys, as we have two locations. The origin from whence you are ssh:ing and the destination to which you are ssh:ing. In your scenario, the addon is the “origin” and the raspberry is the “destination”.
There needs to be keys at both locations. The addon takes care of keys at the point of origin. You need to create keys at the destination, if such have not already been created. Although we might have to take a step back first, as the scenario presupposes that you have SSH up and running on the destination, i.e. your raspberry (outside of docker).
[…] Have you got SSH up and running on your pie? Check if there’s a .ssh config directory in the home directory on the pie (~/.ssh). If it exists, it probably contains both a private and a public key. The private part of the key could be called id_dsa; the public part could be called id_dsa.pub. (The content of the latter file is, by the by, what would be pasted into the addon’s configuration if you’d be interested in ssh:ing into HA.)
However, what you want to do is to SSH from HA. So what you need to do, is to get the ssh addon’s public key and use that to authorize HA to ssh into raspberry (from “origin” to “destination”. Are you able to access the addon’s terminal in HA’s sidebar?
Yes, in my sidebar I’ve access the addon’s terminal!
I’ve setted just a pwd, no key in addon configuration (username hassio and a password) and changed port from 22 to 23 because getting error on port 22 (Bind to port 22 on 0.0.0.0 failed: Address in use.)
From Terminal in Home assistant, there’s no ~/.ssh directory.
So, now I’ve to create key from terminal add-on in Home Assistant, right?
I’ve already created keys outside docker connected with putty (pi user) and ssh-keygen
Hmm. Could the port conflict be due to another ssh addon? There are (at least) two hassio ssh addons, “SSH server” and “SSH & Web terminal”. Is it the latter you have installed? (Alternatively, it might be the raspberry’s own ssh. I’m not familiar with how a supervised HA from a docker container works. If it is any different from hassio or more similar to ha-core in a docker container.)
So, now I’ve to create key from terminal add-on in Home Assistant, right?
If indeed it is “SSH & Web terminal” you have installed, there should already be both private and public keys available in the .ssh directory. If we can locate them, we can use them. (It is a pity I don’t have my hassio installation left, and could test it myself using the addon. Kind of going about it blindly now.)
I’ve already created keys outside docker connected with putty (pi user) and ssh-keygen
Great! Hmm. I guess we could do as follows as well:
Generate a new set of keys. (You can do it through putty and ssh-keygen but store it at a separate location than the previous ones! Adding the -f modifier allows you to specify the output file.)
In your HA-config directory, create a folder called, say myssh.
Copy keys you just created into myssh.
Add the public key you just created to the raspberry’s ssh authorized_keys -file. If the public key you created would be called myssh.pub and be located in the home directory of the pi user, that could be accomplished, for instance, by the following:
cat myssh.pub >> .ssh/authorized_keys
Do cat .ssh/authorized_keys and check the output to see it indeed is there.
In the next steps, we’ll tie it all together. But let’s get this far first! Specifically, let me know if you had trouble generating the keys and placing them into (say) myssh.
Yes, I’ve installed SSH & Web Terminal. I’ve searched for bind port 22 error and found this:
“You can’t use port 22 for BOTH So set a different port for the addon. I use 622. Then I can ssh 22 for the host (Debian in my case) and 622 for Hassio”. So I think it’s ok change port.
I can’t find this directory. Now I’ll read more guide to how configure this add-on, or where it stores the keys. And if i go in Terminal Add on on the left and create myself keys???
Done!
Done!
Done!!!
Done. When do cat .ssh/authorized keys he shows me two keys that finishes:
Now, it just might be the case, that you’ve almost finished it!
Just to check, before writing the HA shell command, why don’t you test it from the HA SSH tab? In the following, I’m assuming there is a file directory myssh in the HA config directory and that said directory contains the private key in a file also called myid. Adapt it to your circumstances (perhaps myid is actually called id_dsa or some such, for instance).
Open the SSH tab.
Double checking the file is indeed there:
test -f config/myssh/myid && echo "Hurrah"
If the output of the above command is “Hurrah”, we should test the SSH connection.
Run the following ssh command, replacing raspipaddress with the IP address of the destination raspberry pi:
ssh -i config/myssh/myid pi@raspipaddress
If the command above was successful, you have now logged in to the raspberry pi from your HA. That would also mean that you could execute commands using the same measure.
That is, if it worked, you’re ready to add the shell_command to HA.
Hmm. Seeing some earlier lines of the log would make it easier to be sure, but I think we’ve actually accomplished what we set out to do. That is, running a script. It could be as simple as amendments needed in your script. You might need to explicitly call the commands in it with full paths and the like. Perhaps specificying full path to python in the shebang? Not sure.
I’d perhaps begin troubleshooting by substituting your command /HarmonizeProject/harmonize.py in the shell_command with another script which runs something really simple and sure-fire to work, first. Maybe a script simply containing something like the following
#!/bin/bash
echo "Huzzah world"
Make sure said script is executable;
Make sure /bin/bash is the location of bash on the raspberry. (Check by running which bash on it.)
First you wrote that bash is actually found at .
But the script calls bash from a different location
Note the discrepancy? Maybe just a typo here, but if indeed your bash is at /usr/bin/bashand the shebang in the test-script is pointing elsewhere (/bin/bash), then that might be the reason it’s failing.
Youre restarting HA in between changes as well, right? (I know you are, asking just to be sure.)
Perhaps you could enable debug level logging for shell commands while we’re trying it out? That is, in your HA configuration.yaml:
# Log
logger:
default: warning # or whatever you have from the start
logs:
homeassistant.components.shell_command: debug
Ok, I’ve modified prova.sh pointing to right bash.
Then insert in configuration.yaml log script, then restart (as always).
Then go to Service and call shell_command.harmonize service, start.
Log…
That is, now we know that the SSH thingy is fully functional. You are successfully running commands on your raspberry through HA.
Next step for you is to check the script you’re calling. Start with the path to it and all paths in it. Make sure all executables are being called by absolute paths. Keep debug log active for shell commands while you’re testing. Revert back to running harmonize.py; restart HA. Start making incremental changes in harmonize.py itself, and check the output in HA logs after each run, specifically what follows after return code (as above, where you found CIAO).
So I skimmed this thread a bit as its kind of long but judging by the last post at the bottom it looks like you have figured out you need to move the keys out of the normal .ssh folder and within /config in order to have them persisted across updates of HA.
However I see you are using -o StrictHostKeyChecking=no. Since this is between local systems on your network that’s probably ok but if you would like to stop doing that there is a fix. The ssh command also allows you to provide a custom location for the known_hosts file. This way you can move that file inside /config as well and have that file also persist across updates. You can also get it set up correctly the first time by either manually SSH’ing directly from the HA container’s commandline using the Portainer add-on on just by copying and pasting the correct things into your custom known_hosts file.
I had to figure this out in order to get my HA displaying a count of packages that needed to be updated on its host. I put the details in here (a lot of it is not relevant to the task at hand I know but it also talks about how to do the known_hosts stuff). With both the custom location for known_hosts and keys the final SSH command ends up looking something like this:
Great! Thanks, will check out using -o UserKnownHostsFile=myhostfile instead of -o StrictHostKeyChecking=no.
I could add that personally, I have a dedicated user set up for the purposes of SSH:ing out of HA and executing commands on my external box. Only specific commands are allowed, and the user otherwise has restricted permissions.
.
It works. My job is done. 
