Important Tip: Using SSH in shell_command scripts; accepting host keys!

Share your Projects!
1

I spent the better part of a month troubleshooting this issue and only today found the solution. Since I browsed dozens of posts here for an answer to what seemed like the exact same problem, but not finding the solution, I wanted to post this here so the next person doesn’t lose a month of their life trying to figure out why their SSH command won’t run in a shell_command script within HA despite seeming to run just fine from console!

So, here’s the setup:

  • .sh script with an ssh command inside
  • a shell_command integration added in configuration.yaml
  • an Automation/Script calling that shell_command

My script ran just fine via SSH console (Advanced SSH & Web Terminal), but would simply do nothing when ran inside HA via script or automation. I saw the running_script: false in the Step Details that many others see in this situation.

I tried literally everything mentioned in every post I could find here, Reddit, etc. Nothing would get ssh to work. Then I happened upon a seemingly unrelated post that spawned a thought: HA is multi-layered, especially in the case of HAOS: Host > Supervisor > HA inside a container. The SSH Add-on places you in the Supervisor layer but HA is still running one layer deeper.

Yes, the shell script runs fine inside the Supervisor layer…but I never directly tried it within the HA container layer of this whole cake!

You have to disable Protected Mode in the SSH Add-on so you can access the docker command. Then, I ran this command to access HA’s container directly so I could try my shell script:

docker exec -it homeassistant bash

When I ran my shell script in there, it all became clear:

The authenticity of host 'blah-blah-blah (10.10.0.6)' can't be established.
ED25519 key fingerprint is SHA256:AintNoWayImShowingYouThis84f53485fo345f8y.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

While the key was already known within the Supervisor (I confirmed a similar prompt back when I was first testing), it was NOT yet known within the HA container, itself!!! Once I manually said yes to this prompt, my shell script started running just fine in my automation!

You will only have to do this step once for any given ssh host, regardless of how many scripts contact that host, as the key will be permanently stored in known_hosts within the HA container.

My quest is now complete. I genuinely hope this helps others avoid such a long journey.

2

You seem to have missed this community guide that makes a point of mentioning it. It’s also linked to in the pinned Home Assistant Cookbook (the only post under the SSH heading). The Home Assistant Cookbook - Index.

I think I was only at 1.5 - 2 weeks of pulling my hair out before I search-lucked my way onto that post, sorry about your month.

3

Funny how Google, DDG, et al and this forum search failed me on multiple occasions over a month. Search is dead; AI killed it. :skull:

Hopefully this more recent conversation improves someone else’s odds, since the Google Gods seem to think that this needs more exposure to be in any way relevant in search rankings. :man_shrugging:

4

Can’t disagree.

FWIW I did inquire about getting the ‘Community Guides’ into the side panel here on the furums as it’s currently disabled by default :man_shrugging:, but apparently these forums are being held together with bubble gum and shoe string so it’ll be a while.

5

It’s not permanent actually. If you stop there your script will break the next time you update HA guaranteed. It may also break before that if an issue triggers a rebuild of the core container. The folder /root is not part of the image so any time the container is rebuilt from the image your changes there are wiped.

You should take a look Handling the known_hosts file section in the mentioned guide for how to fix that.

Also I assume you’re putting a password in the command (and therefore the config) otherwise you would be hitting this same issue with your identity file. The guide tells you how to deal with that properly as well if you’re interested in going password-less and removing that from your config.

1 Like
6

No, I’m using an identity file. I would never put a bare SSH password in a script.

Now, this is good to know. I’m on the verge of blowing out this entire install and starting from scratch anyway, as I started with a very early version of HAOS, so I’m sure I’ve accumulated a whole bunch of crap, particularly at the bare host level. One of the boot slots always fails. I have about 20GiB of consumed space that I cannot account for anywhere within HA and I can’t be bothered to go through all the extra of setting up direct access to the host to suss it out (usb drives to alter host config and all that jazz) on this particular system.

I did try to launch a new HAOS image and restore from backup about a year and a half ago, but there was something terribly broken in the restore wizard; three attempts over 16 hours and I couldn’t get a restore to take. So, I gave up. I need to try again, since the redesign of the backup system likely changed those mechanics.

When I fire up the new clean instance, I’ll give the cookbook an end-to-end read to cover all this nitty gritty in earnest. To go through all these extra steps on such a battered instance will likely prove a waste of my time. I just hope a clean restore actually works this time, otherwise, what’s the point of a “full backup?”

1 Like