How to Shutdown Terramaster NAS with SSH keypair and shell_command

Hello guys!

This is shell_command in config.yaml
shell_command:

shell_command:
  shutdown_tnas: ssh -i /root/.ssh/id_ed25519.pub -o 'StrictHostKeyChecking=no' -p 9222 192.168.1.224 sudo -S poweroff

id_ed25519.pub is the key I produced from HA cli and id copied directly to NAS.
I can ssh login from HA cli to NAS without password, so key exchange happened and worked.
Only shell_command is not

How the other test that I asked? I need to know those details also.

When calling shell_command i get:

stdout: ""
stderr: "Warning: Identity file /root/.ssh/id_ed25519.pub not accessible: No such file or directory.\nPermission denied, please try again.\r\nPermission denied, please try again.\r\nReceived disconnect from 192.168.1.224 port 9222:2: Too many authentication failures\r\nDisconnected from 192.168.1.224 port 9222"
returncode: 255

When calling ls -la in HA cli i get:
-rw------- 1 root root 399 May 3 22:12 /root/.ssh/id_ed25519

Sorry but I haven’t found a way to select and copy text from HA cli, I have to write it, so spacing is surely wrong

Demo_command gives:

stdout: root
stderr: ""
returncode: 0

Once logged into NAS, sudo doesn’t work, but poweroff does :+1:

Sorry if I edit, on the first day I was blocked after 5 replies, now I try to make less. New messages will be on a new reply, granted.
I also temporarily post an uncomplete post while editing it to avoid loosing what I did by pushing the wrong (X) and closing the page for instance. Sorry for this too.
Thanks

Wait, I’m an idiot.
shell command is missing user.
let me try correcting it and removing sudo -S

Nope. I still get:

stdout: ""
stderr: "Warning: Identity file /root/.ssh/id_ed25519.pub not accessible: No such file or directory.\nPermission denied, please try again.\r\nPermission denied, please try again.\r\nReceived disconnect from 192.168.1.224 port 9222:2: Too many authentication failures\r\nDisconnected from 192.168.1.224 port 9222"
returncode: 255

I also tried this

shell_command:
  shutdown_tnas: ssh -p 9222 [email protected] poweroff

to see if ssh could resolve the identity by itself, but got almost the same result:

stdout: ""
stderr: "Permission denied, please try again.\r\nPermission denied, please try again.\r\nReceived disconnect from 192.168.1.224 port 9222:2: Too many authentication failures\r\nDisconnected from 192.168.1.224 port 9222"
returncode: 255

I guess that the identity files (both id_rsa and id_rsa.pub) must be under the /config folder. You can try to move the ‘.ssh’ directory under that folder and change the ssh commands accordingly. Also try a more “safe” command in the ssh command, like ‘hostname’ for example.

1 Like

I couldn’t find /root folder to cut files from in smb or file editor. Probably I should do this with ssh, but I’m not sure how, so I first tried using the .ssh folder on Ubuntu, the one with the id_rsa.pub and other files that was created to log into NAS, but I got the same message that will follow.
So I ran ssh keygen again specifying /config/.ssh/id_ed25519.pub as output. Probably I mistook something because in both cases I get:

stdout: ""
stderr: "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\nPermissions 0644 for '/config/.ssh/id_ed25519.pub' are too open.\r\nIt is required that your private key files are NOT accessible by others.\r\nThis private key will be ignored.\r\nLoad key \"/config/.ssh/id_ed25519.pub\": bad permissions\r\nPermission denied, please try again.\r\nPermission denied, please try again.\r\nReceived disconnect from 192.168.1.224 port 9222:2: Too many authentication failures\r\nDisconnected from 192.168.1.224 port 9222"
returncode: 255

You’re almost there and I missed a step. You have to change the permissions on the key.

You want to run ‘chmod 600 /config/.ssh/id_ed25519’ from the SSH add-on

The other issue is making sure the right keys are in the right place. You should have had two keys

id_ed25519
id_ed25519.pub

The first is the private key and the second is the public key. The private key should be on HA (origination of SSH) and the public key should be on the NAS.

In your shell command, you’ll use the private key.

Your problem before was having the key in the /root folder of the SSH add-on which HA cannot access.

1 Like
1 Like

I ran chmod on id_ed25519 but gave me same result.
So I ran it on ed_ed25519.pub and launching shell_command gave me:

stdout: ""
stderr: "Load key \"/config/.ssh/id_ed25519.pub\": error in libcrypto\r\nPermission denied, please try again.\r\nPermission denied, please try again.\r\nReceived disconnect from 192.168.1.224 port 9222:2: Too many authentication failures\r\nDisconnected from 192.168.1.224 port 9222"
returncode: 255

Right…you still have your shell command using the public key. You need to change it to use the private key instead.

1 Like

Yes! Seems like login Happened!
But not working yet.
Now I get:

stdout: ""
stderr: "bash: line 1: poweroff: command not found"
returncode: 127

In config.yaml i have:

shell_command:
 shutdown_tnas: ssh -i /config/.ssh/id_ed25519 -o 'StrictHostKeyChecking=no' -p 9222 [email protected] poweroff

Try using the full path, like /sbin/poweroff or something like that… To find where is the command, use ‘which poweroff’ from an interactive ssh session of the NAS.

1 Like

You may also want to SSH from the HA CLI and run ‘whoami’ to make sure it’s logging you in as the correct user.

1 Like

Guys, it worked!
I don’t really know how to thank you for all the help you gave me and patience you showed.
I don’t even really know which reply to mark as solution.
Thanks forever and ever and ever and ever…

P.s.
To be thorough, in case anyone else will ever need this, NAS warned me that “shutdown” should be used instead of “poweroff”

2 Likes

Finally the solution was brought by @FriedCheese and @blackfede. Thanks, you made this a great day.

To summarize:

  1. Install and activate ssh on both HA and NAS.

  2. Access HA cli and generate keys with

ssh-keygen

don’t set passphrase and when prompted for file path:

  1. Type: /config/.ssh/id_rsa.pub

  2. Copy the generated keys to NAS using:
    ssh-copy-id -i /config/.ssh/id_rsa.pub user@NAS_IP using your credentials.

  3. Run:
    chmod 600 /config/.ssh/id_rsa’

  4. Create a shell_command entry in config.yaml:

shell_command:
 shutdown_nas: ssh -i /config/.ssh/id_rsa -o 'StrictHostKeyChecking=no' -p 9222 user@NAS_IP /sbin/shutdown

using your credentials.

  1. Restart HA

Now you should be able to call a service called: shutdown_nas

This way, I got rid of the need for a smart UPS.

Please correct me if I badly reported something.
If you encounter an issue, since I mistook almost everything could be mistaken, you’ll likely find the brief solution among replies, so take time to and care of reading.

3 Likes

Woo! I’m glad it worked!

1 Like

Thanks to you and @FriedCheese

1 Like

hi all!
i believe that in step 3 we have to remove the “pub” extension.

using core 2024.9.3

no luck here… getting the error below when try to run action from developer tools:

stdout: ""
stderr: "Warning: Identity file /config/.ssh/id_rsa not accessible: No such file or directory.\nPermission denied, please try again.\r\nPermission denied, please try again.\r\[email protected]: Permission denied (publickey,password)."
returncode: 255