But in this case we are not using a Windows machine or a workstation. This SSH key is used for Home Assistant to connect to an Asus router. How would I use a pass phrase here? There is no mention of a pass phrase in the settings for Asuswrt in HA, nor is there any mention of a pass phrase in the Asus router settings ?
That was my original question.
If one uses a ssh key with HA it seems like it would almost have to be a key with an open passphrase unless HA has a facility to start an ssh-agent instance to load the private key. The vulnerability is should that private key be stolen or fall into the hands of a 3rd party then they could readily access any device where the public half of the key has been deployed.
Thanks for clarifying. Then a pass phrase probably isn’t an option right now. I think a key without a pass phrase does not mean an extra attack vector, as long as you use the key pair just for connecting Home Assistant and Asus. There seems to be room for improvement though.
Thanks for the tutorial.
Unfortunately I can’t seem to get it to work.
I created the private file and saved it at /home/homeassistant/.homeassistant/ssh/ssh_asus_private_key
I copied the public key to my router, saved and restarted.
And added my device_tracker entry to the configuration.yaml:
device_tracker:
- platform: asuswrt
host: 192.168.2.2
username: haendler
ssh_key: /home/homeassistant/.homeassistant/ssh/ssh_asus_private_key
and then executed the command: chmod 600 /home/homeassistant/.homeassistant/ssh/ssh_asus_private_key
Now when I start Home Assistant I get an error in the log:
Unexpected SSH error: password refused
10:55 AM components/device_tracker/asuswrt.py (ERROR)
I tried around with permissions for the file and moving the ssh folder to different directories but with no success.
With nmap i confirmed from my hassbian that ssh on my router is open on port 22.
Does anyone have an idea what I’m missing?
Strange. I googled a bit. Perhaps you can set the folder permissions to 700, is suggested a few times (containing the ssh key file).
Just to check: did you export the key as OpenSSH, not just save it from PuttyGen?
I think on my latest try I didn’t, I just saved it.
Just now tried it again with the export and now there’s only 1 error left:
Invalid config for [device_tracker.asuswrt]: file not readable for dictionary value @ data[‘ssh_key’]. Got ‘/home/homeassistant/.homeassistant/ssh/ssh_asus_private_key’
In another thread it was suggested to put the file into the /config/ folder so docker can see it. But I don’t seem to have/find the config folder where should that be?
Did you chmod 600 the file? Also, you can try to put it in the folder I suggested in the topic start? That is a known working location, even if just to confirm it can work for you.
Yes i did the chmod.
And the folder was my question, where is the /config/ folder? i can’t find it or can’t see it. Not working with unix that much.
Also when I try it with the password config instead of the ssh_key in the configuration.yaml, I get an error “Unexpected SSH error: permission denied” id there some router setting I’m missing? I set the part from your screenshot and the ssh public key.
For me, the config directory is in the root (using Hassio). Another way to reach it is by activating Samba access and connecting to the HASS file system from another PC. The config directory is then available as a shared folder.
Well I’m using Hassbian maybe there is a difference then. I’ll try today when I’m home to put it in a /root/ folder. Otherwise I will probably alternate to a ping instead of presence detection by the router.
Thanks for your help, very much appreciate it.
Since you are on hassbian try this:
sudo -u homeassistant -H /bin/bash
cd ~/.homeassistant/ssh/
rm *
ssh-keygen -t rsa -b 4096 #save key as ssh_asus_private_key
cat ssh_asus_private_key
exit
This will create the ssh key under the correct user. *please note this text is not tested but the concept works.
This worked for my Docker setup:
docker exec -it homeassistant bash
mkdir ssh
cd ssh
ssh-keygen -t rsa -b 4096 #save key as asuswrt
cat asuswrt
exit
For docker:
#device_tracker:
- platform: asuswrt
host: #router IP
username: !secret asus_admin_name
# password: !secret asus_admin_password
#or
ssh_key: '/config/ssh/asuswrt' #The path to your SSH private key file associated with your given admin account
1 Like
@TheNotSoSmartHome,
thanks for the tip I’ll try it on the weekend, if I have time. For now I made the ping device tracker work.
I’m having issues with this too. Everything was working fine (I think) until I updated to 0.82.1.
I was just using username and pass to access the router which has worked for absolutely ages.
I tried adding an SSH key as described above, but it still doesn’t work.
Whats really annoying is that I have quite a number of automations that rely on this!
I got this working but on Raspbian I had to make sure I was generating an openssl key ( “-o” ). So following @TheNotSoSmartHome’s instruction I had to change the keygen command to
ssh-keygen -t rsa -b 4096 -o
Hi. I’m now running Hassio 0.83.3
Followed the above instructions but when I log in via SSH (as root) to do the chmod command I get a no such file or directory error message. If I type LS, I see nothing. Any ideas of the correct path?
EDIT: Ignore me - was being an idiot
Thx for your post. I got it working.
One remark: I got confused about the name of the file ssh_asus_private_key. Shouldn’t it have “hasshost” or “pi” or something like that in the name instead of “asus”, because it’s the private key of the host where HA is running, not the private key of your router?
You’re getting me confused now 
But I still think it should be called ssh_asus_private_key, because it’s meant to connect to your Asus router and only your Asus router. The key pair (public & private key) is used for a connection to the Asus router, not for a connection to the Home Assistant machine. I hope I’m making sense here.
Yes, true. And for this post it’s not necessarily wrong. (But confusing to me. 
)
In theory this private key belongs to the host where your HA is running. And it can be used in an ssh connection to prove it’s really the host of your HA the other party (with the shared public key of the host of HA) is talking to. So in theory it could be used to connect to several other parties, not only the router.
It’s like having a key to your front door. Some people have the same lock on their front door as on their back door. So they could use the same key for both locks. They probably still use the name ‘front door key’ for it. And then someone comes around and says: “That’s confusing to me”. 
So, not a big problem.
1 Like
Thanks.
I followed the steps and I implemented it in an Asus RT-AC58U
20190718 - Home Assistant 0.95.4
configuration.yaml
asuswrt:
host: 192.168.1.1
username: !secret usr_asus
ssh_key: /config/ssh/ssh_asus_private_key
I hope it will be useful.
Question, is there anyway to pull the ssh_asus_private keys on a macOS via terminal. I do not feel comfortable installing a ported version of puttyGEn on my MacBook via home-brew?