How to Shutdown Terramaster NAS with SSH keypair and shell_command

This is what i was looking for. The NAS is accepting public key auth. Now you can enable public key auth from Ubuntu to NAS using user Master.

Since you dont have any suitable key pair, you have to generate one. Then you can use the command ssh-copy-id from Ubuntu to install the public key to the NAS in the home directory of Master user.
Follow this guide for a step by step instruction. Please, don’t set a password for the private key, otherwise it would be useless for this specific purpose!

Pleae note that this guide was wrote for a standard ssh server un port 22. The NAS run SSH on a custom port. I’ve never face this scenario, but again, it seems still possible to use the ssh-copy-id command.

After that, you should be able to do SSH to the NAS without using password. If this work for Ubuntu, then you can do the same for Homeassistant. Again, once you complete the procedure, test the login. Also homeassistant should be able to use key based auth.

Reach this point, then we can move further into sudo command configuration.

Thank you so much!!! I’ll try as soon as possible!!! But I have to study first. I’ll let you know in the next days possibly.
Thanks again!!!

Edit:
It took 10 minutes and incredibly, it worked at first attempt from ubuntu. I’m starting to believe I won’t have to buy a fingerbot.
I’ll try with HA asap although specific procedure isn’t yet clear to me.
Thank you so much again!!!

Just copy the private key you generated in Ubuntu to somewhere in the HA config folder. In your shell_command call the private key for the SSH command.

shell_command:
  shutdown_tnas: ssh -i ***path to key*** -o 'StrictHostKeyChecking=no -p 9222 ***nas_ip***

Note: I’m on mobile so be sure to check spacing.

Reboot HA and call your shell command from the services tab in dev tools.

I made a folder in /config called sshkeys so mine is:

ssh -i /config/sshkeys/key

As soon as I try I’ll let you all know. Thank very very much you for your help and patience!!!

Edit:
I copied id_rsa.pub into a newly created config folder in / so that I could imitate your configuration.
I created the shell_command with proper modification and a small correction, there’s a ’ missing after …=no. At first gave me syntax error.
But even though I corrected the insignificant error, I get:

stdout: ""
stderr: "Warning: Identity file /config/sshkeys/id_rsa.pub not accessible: No such file or directory.\nPseudo-terminal will not be allocated because stdin is not a terminal.\r\nPermission denied, please try again.\r\nPermission denied, please try again.\r\nReceived disconnect from 192.168.1.224 port 9222:2: Too many authentication failures\r\nDisconnected from 192.168.1.224 port 9222"
returncode: 255

I’m sure id_rsa.pub is there. I thought of another syntax error, but adding and removing / randomly didn’t help.

In my dumb opinion I may think there’s a syntax error, but there are so many things that can go wrong…

Edit 2:
I repeated the procedure to create ssh key straightly in HA ssh integration and copy it to NAS.
Everything went fine, ssh login to NAS happens without asking for password on HA cli, but shell_command still doesn’t work.
I still get:

stdout: ""
stderr: "Warning: Identity file /root/.ssh/id_ed25519.pub not accessible: No such file or directory.\nPseudo-terminal will not be allocated because stdin is not a terminal.\r\nPermission denied, please try again.\r\nPermission denied, please try again.\r\nReceived disconnect from 192.168.1.224 port 9222:2: Too many authentication failures\r\nDisconnected from 192.168.1.224 port 9222"
returncode: 255

As said, others had tried to achieve this result through ssh, but it seems noone succeded. I posted that ssh couldn’t be used because of that, but many of you stated it was possible since logs. Are you still sure this is possible?
I’m stuck again and, as you might see, my attempts are ruled by search engines and casualty so sorry for bothering you with questions you almost surely find annoying, but would you help me finish the job?
Otherwise the request for one integration among “Terramaster”, “adjustable SNMP server” or a “control over USB system” was not wrong in the end. I’ll probably repost the request in this case, I’ll work on the title first.
Thanks again and again

Don’t panic! As you can see the ssh login without password is possible and you had already achive that in Ubuntu. You did say that you are able to use interactive login from HA to the NAS also. You are a step away from closing the circle! Also what kind of HA are you using? Core? Supervised? Docker container? (maybe you have already told that, I’m sorry).

Can you post the shell command that you put inside HA configuration?
also please create a new shell_command like this:

shell_command:
  demo_command: whoami

and post the output of it. It could be useful to address eventual permission issue.
Also, from interactive shell of HA, do:

ls -la /config/path_to_your_ssh_folder/*

i would like to check if the files are owned by the same user that run HA and that execute the shell_command.

Another question: once you logged on the NAS with SSH (from Ubuntu or HA, it does not matter) with the Master user, are you able to perform the poweoff command? With or without the help of ‘sudo’?

Also please, if you have some news, don’t edit a previous post. Write a new one, so we can receive notifications.

It seems the root of your current issue is that you need a dedicated user for the secure SSH control of the NAS, if you don’t have access to setup a dedicated account on the NAS for this then you will need to rebuild it especially if you don’t have admin access.

I don’t think so, from this message

i guess is a permission problem on the HA side. SSH client is not able to read the public key on HA /config folder. That’s why I asked OP to do some test and report back.

Least once its configured a better written how to can be setup for others in the same situation to make it easier in the long term to refer to.

Hello guys!

This is shell_command in config.yaml
shell_command:

shell_command:
  shutdown_tnas: ssh -i /root/.ssh/id_ed25519.pub -o 'StrictHostKeyChecking=no' -p 9222 192.168.1.224 sudo -S poweroff

id_ed25519.pub is the key I produced from HA cli and id copied directly to NAS.
I can ssh login from HA cli to NAS without password, so key exchange happened and worked.
Only shell_command is not

How the other test that I asked? I need to know those details also.

When calling shell_command i get:

stdout: ""
stderr: "Warning: Identity file /root/.ssh/id_ed25519.pub not accessible: No such file or directory.\nPermission denied, please try again.\r\nPermission denied, please try again.\r\nReceived disconnect from 192.168.1.224 port 9222:2: Too many authentication failures\r\nDisconnected from 192.168.1.224 port 9222"
returncode: 255

When calling ls -la in HA cli i get:
-rw------- 1 root root 399 May 3 22:12 /root/.ssh/id_ed25519

Sorry but I haven’t found a way to select and copy text from HA cli, I have to write it, so spacing is surely wrong

Demo_command gives:

stdout: root
stderr: ""
returncode: 0

Once logged into NAS, sudo doesn’t work, but poweroff does

Sorry if I edit, on the first day I was blocked after 5 replies, now I try to make less. New messages will be on a new reply, granted.
I also temporarily post an uncomplete post while editing it to avoid loosing what I did by pushing the wrong (X) and closing the page for instance. Sorry for this too.
Thanks

Wait, I’m an idiot.
shell command is missing user.
let me try correcting it and removing sudo -S

Nope. I still get:

stdout: ""
stderr: "Warning: Identity file /root/.ssh/id_ed25519.pub not accessible: No such file or directory.\nPermission denied, please try again.\r\nPermission denied, please try again.\r\nReceived disconnect from 192.168.1.224 port 9222:2: Too many authentication failures\r\nDisconnected from 192.168.1.224 port 9222"
returncode: 255

I also tried this

shell_command:
  shutdown_tnas: ssh -p 9222 [email protected] poweroff

to see if ssh could resolve the identity by itself, but got almost the same result:

stdout: ""
stderr: "Permission denied, please try again.\r\nPermission denied, please try again.\r\nReceived disconnect from 192.168.1.224 port 9222:2: Too many authentication failures\r\nDisconnected from 192.168.1.224 port 9222"
returncode: 255

I guess that the identity files (both id_rsa and id_rsa.pub) must be under the /config folder. You can try to move the ‘.ssh’ directory under that folder and change the ssh commands accordingly. Also try a more “safe” command in the ssh command, like ‘hostname’ for example.

I couldn’t find /root folder to cut files from in smb or file editor. Probably I should do this with ssh, but I’m not sure how, so I first tried using the .ssh folder on Ubuntu, the one with the id_rsa.pub and other files that was created to log into NAS, but I got the same message that will follow.
So I ran ssh keygen again specifying /config/.ssh/id_ed25519.pub as output. Probably I mistook something because in both cases I get:

stdout: ""
stderr: "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\nPermissions 0644 for '/config/.ssh/id_ed25519.pub' are too open.\r\nIt is required that your private key files are NOT accessible by others.\r\nThis private key will be ignored.\r\nLoad key \"/config/.ssh/id_ed25519.pub\": bad permissions\r\nPermission denied, please try again.\r\nPermission denied, please try again.\r\nReceived disconnect from 192.168.1.224 port 9222:2: Too many authentication failures\r\nDisconnected from 192.168.1.224 port 9222"
returncode: 255

You’re almost there and I missed a step. You have to change the permissions on the key.

You want to run ‘chmod 600 /config/.ssh/id_ed25519’ from the SSH add-on

The other issue is making sure the right keys are in the right place. You should have had two keys

id_ed25519
id_ed25519.pub

The first is the private key and the second is the public key. The private key should be on HA (origination of SSH) and the public key should be on the NAS.

In your shell command, you’ll use the private key.

Your problem before was having the key in the /root folder of the SSH add-on which HA cannot access.

I ran chmod on id_ed25519 but gave me same result.
So I ran it on ed_ed25519.pub and launching shell_command gave me:

stdout: ""
stderr: "Load key \"/config/.ssh/id_ed25519.pub\": error in libcrypto\r\nPermission denied, please try again.\r\nPermission denied, please try again.\r\nReceived disconnect from 192.168.1.224 port 9222:2: Too many authentication failures\r\nDisconnected from 192.168.1.224 port 9222"
returncode: 255

Right…you still have your shell command using the public key. You need to change it to use the private key instead.