Power on / off NAS by using WOL and SSHPASS

Share your Projects!
1

Hello togehter,

I just switched from OpenHAB to HomeAssistant (HassIO on Raspberyy PI4 4GB).

Now I try to adapt my OpenHAB switches etc. to HomeAssistant.

One of the “problems” I’ve run into is a switch to power on / off my synology nas.

It seemed to be quite complicated due to the lack of permissions etc… Also everything i read on did not realy work for me. So I got a bit deeper (first time to use docker etc.)

And found the following Solution for my problem which I will show you below.

  1. Create a SWITCH for powering on / off.
switch:
  - platform: wake_on_lan
    name: YOURNAME
    mac: YOURMAC
    host: YOURIP
    turn_off:
      service: shell_command.turn_off_YOURNAME
shell_command:
    turn_off_YOURNAME: bash /path/to/script/SCRIPTNAME.sh
  1. Create the script “SCRIPTNAME.sh” for powering off:
#! /bin/bash
sshpass -p "REMOTEPASSWORD" ssh -t REMOTEUSER@REMOTEIP "echo REMOTEPASSWORD | sudo -S poweroff"
  1. Install the “SSH & Web Terminal” Add-On and deactivate the “protection mode”.

In Terminal run:
docker ps -a

Look for the one with two times “homeassistant” in the name by “Image” and copy the “CONTAINER ID”

  1. Run from Terminal:
    sudo docker exec -it CONTAINERID /bin/bash

  2. Run from Terminal:
    apk add sshpass

  3. Connect to remote host to verify the fingerprint
    ssh -t REMOTEUSER@REMOTEIP

type “yes” to confirm the fingerprint and add your password.

Quit by typing:
exit

  1. Optional: Turn on “protection mode” again.

You’re done now. The switch will power on your NAS by using WOL and power it off by using sshpass.

NOTE: You have to do step 4 to 6 after every Update!

Hope that will help someone else!

Greetings

6 Likes
2

I did not want to perform the “apk add sshpass” after every update, so I changed the connection to SSH with Keyfiles. For a HowTo to do so on synology nas, you can follow this one: Log in to a Synology DiskStation using SSH keys as a user other than root

First of all, you have to add the SSH Keyfiles on the Hostsystem (the private key needs to be openssh format) and then

Put the Private Key FIle
(private_key)

to

/config/ssh_keys/
on Home Assistant

CHMOD it to 600

chmod 600 /config/ssh_keys/private_key
(use the Console Addon)

Create a SWITCH for powering on / off.

switch:
  - platform: wake_on_lan
    name: YOURNAME
    mac: YOURMAC
    host: YOURIP
    turn_off:
      service: shell_command.turn_off_YOURNAME
shell_command:
    turn_off_YOURNAME: bash /path/to/script/SCRIPTNAME.sh

Create the script “SCRIPTNAME.sh” for powering off:

ssh -i /config/ssh_keys/private_key -o StrictHostKeyChecking=no SSHUSERNAME@HOSTIP "echo REMOTESERVERROOTPASSWORD | sudo -S poweroff"

SSHUSERNAME = Username to connect via SSH to the remote Host
HOSTIP = IP of the remote Host
REMOTESERVERROOTPASSWORD = RootPassword of the Remote Host to have enough rights to run the poweroff

DONE :wink:

3 Likes
3

Hi @Lucan,

Minor correction to your code above:

    turn_off:
      service: shell_command.turn_off_YOURNAME

should be

    turn_off:
      service: shell_command.turn_off_storage

matching the shell_command:

shell_command:
    turn_off_storage: bash /path/to/script/SCRIPTNAME.sh

pretty much sure it was a typo …

thanks for your code. I can now easily wake up my NAS and switch it off when needed through HA.

4

Forgot to rename the name i choose (storage) with “YOURNAME” in the tutorial above. I changed it now - thank you.

5

It is faster and easier creating a switch like this:

switch:
  - platform: wake_on_lan
    name: "NAME_NAS"
    mac: 00-AA-BB-CC-DD-EE
    host: 192.168.1.2
    turn_off:
      service: synology_dsm.shutdown

Of course, you need first to integrate the Synology NAS in Home Assistant: Menu: Configuration -> Integrations . Search for “Synology DSM”, fill in the configuration form with your username and password, and then click Submit .
MAC and host addresses above are examples, you will need yours.
Wake on lan service also needs to be in configuration.yaml of home assistant:

# Example configuration.yaml entry
wake_on_lan:
1 Like
6

True, nice for synology - did not know that there is a service included for that.

But mine could be adapted for almost every linux computer - so both is usefull.

7

Is there also a way to turn on the synology?

8

The Switch turns it on with WOL - so yes

9

I tried doing this but to connect to my windows machine. I generated a key using “ssh-keygen” on windows and copied the contents of the id_rsa to a file in my config “/config/ssh_keys/id_rsa”, so my shell command is:

ssh -i /config/ssh_keys/id_rsa -o StrictHostKeyChecking=no username@ip_of_windows "powercfg -h off & rundll32.exe powrprof.dll,SetSuspendState 0,1,0"

However it still asks for the password when I test it in the SSH terminal on the Home Assistant.

Any assistance on how to get this working would be greatly appreciated!
Cheers,
Josh

10

worked for my qnap thank you

11

Hello gomble,
I have a QNAP TS 251+.
can you describe in a bit more detail your solution for the WOL of the QNAP in Home Assistant?

Do I need the ssh files? if yes, where can i get the keys and where do I have to put it on the qnap?
And where do I have to put the script? e.g. /config/scripts/ SCRIPNAME.sh ?

thanks in advance!

12 
switch:
  - platform: wake_on_lan
    mac: 24:5E:BE:0C:A9:88
    name: QNAP
    host: 192.168.178.195
    turn_off:
      service: shell_command.turn_off_qnap

This switch starts my qnap with wol

The shell command stops it


shell_command:
  turn_off_qnap: "bash /config/qnapshutdown.sh"

Qnapshutdown.sh:

ssh -i /config/ssh/qnap/id_rsa -o StrictHostKeyChecking=no [email protected] "poweroff"

You have to generate ssh keys with the terminal addon. I have saved my ssh keys under /config/ssh/qnap. Then you have to activate ssh in qnap and upload the ssh keys via gui to the qnap. This is described in this thread.

13

Hey all!

I am trying to figure out how to create ssh key on the QNAP 464 so that my HA can connect directly to it in an automation in order to shut it down gracefully.

Since HA knows when my UPS is on battery or not I want HA to gracefully shut down the QNAP NAS when UPS is on battery.

These are the steps needed as I understand it:

  1. Log on to the QNAP with ssh as admin.
  2. Generate a ssh key ← This is where I am stuck. How do I do that?
  3. Download client key from QNAP server.
  4. Log on to the HA server with ssh and upload the client key ← Where do I store it?
  5. Run “shell_command” with command “halt” in my automation.

Can anyone help me with step 2 and 4?

14

I solved this myself by doing this:

  1. ssh in to Home Assistant.
  2. Ran following command
ssh-keygen -t rsa -C "QNAP HA"

Make sure not to use any password (just press Enter when prompted twice).

  1. From HA I ssh in to QNAP server:
ssh admin@nas01
  1. I trusted the login
  2. I disconnected the ssh session from the QNAP server and was back in HA ssh session.
  3. Now I copied the key from HA to QNAP server using:
ssh-copy-id admin@nas01
  1. Done! I was now able to ssh from HA to QNAP server without any password.
15

Is there anyway to keep the sshpass from disappearing upon reboots/ OS updates?
This method works great for NAS shutdown otherwise.
Can someone please explain why sshpass (or any other package?) is not retain after reboots (on HassOS)

16

Well, I had the same need, and solved it by installing sshpass with apk, and after that copying the binary into homeassistant folder (where all YAML files are). I can’t say if it is the right/best/optimal solution, but it is retained after the reboot/upgrade

17

thanks , works fine. But every time I upgrade the HA core I have to go through these steps again.

Go to Settings → plugins → Advanced SSH & Web Terminal → Uncheck protection mode → reboot

Go to Terminal →

docker ps -a

(look for the CONTAINER ID of the Docker container which is called homeassistant and its IMAGE is [Package qemux86-64-homeassistant · GitHub](http ://ghcr.io/home-assistant/qemux86-64-homeassistant:2024.5.4))

sudo docker exec -it CONTAINERID /bin/bash

apk add --update --no-cache sshpass

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=ssh-dss,ssh-rsa -t [email protected]

yes

Type password

exit

Go to Settings → Add-ons → Advanced SSH & Web Terminal → Check protection mode → reboot

1 Like
18

hi guys! I have the solution that is fully functional but with some security concerns. Here is my full guide, that could help:

:white_check_mark: SOLUTION

  • Used sshpass only inside the Advanced SSH & Web Terminal add-on, not from Home Assistant Core.
  • Stored the NAS password in a file, avoiding exposure in command lines.
  • Used SSH config for clean targeting of remote hosts.
  • Separated scripts and shell commands.
  • Set sensible file permissions.

Requirements:

  • Advanced SSH & Web Terminal Add-on
  • Protection mode off in the Add-on

Config of Advanced SSH & Web Terminal Add-on:

username: "hassio"
password: "!secret ssh_pass"
authorized_keys:
  - >-
    ssh-rsa
    AAAAB3NzaC1yc2EAAAADAQABAAA...TRUNCATED...
    homeassistant
sftp: false
compatibility_mode: false
allow_agent_forwarding: false
allow_remote_port_forwarding: false
allow_tcp_forwarding: false
init_commands:
  - apk add --update --no-cache sshpass
allow_remote: true

NOTE: The add-on’s init_commands only run at container boot time, not when you open a new Terminal window in the UI. The terminal you open is likely a new shell session not tied to the startup init_commands. Even though I restarted the service, sometimes sshpass disappeared. That’s why, I have put it in the script as well.

VSC Add-on in Home Assistant:

/config/.ssh/config

# homeassistant server
Host 10.10.10.18
  UpdateHostKeys yes
  User hassio
  UserKnownHostsFile /config/.ssh/known_hosts
  IdentityFile /config/.ssh/id_rsa_HA
  IdentitiesOnly yes

/config/.ssh/id_rsa_HA

-----BEGIN OPENSSH PRIVATE KEY-----
b3Bl...

/config/.ssh/known_hosts
only created the file

/config/pass/ssh_nas_pass.txt

<your NAS admin password>

/config/scripts/nas_reboot.sh

#!/bin/sh
command -v sshpass >/dev/null 2>&1 || apk add --update --no-cache sshpass
sshpass -f /root/config/pass/ssh_nas_pass.txt ssh \
  -o StrictHostKeyChecking=accept-new \
  -o UserKnownHostsFile=/root/config/.ssh/known_hosts \
  -o KexAlgorithms=+diffie-hellman-group1-sha1 \
  -o HostKeyAlgorithms=ssh-rsa \
  -t [email protected] reboot

/config/scripts/nas_shutdown.sh

#!/bin/sh
command -v sshpass >/dev/null 2>&1 || apk add --update --no-cache sshpass
sshpass -f /root/config/pass/ssh_nas_pass.txt ssh \
  -o StrictHostKeyChecking=accept-new \
  -o UserKnownHostsFile=/root/config/.ssh/known_hosts \
  -o KexAlgorithms=+diffie-hellman-group1-sha1 \
  -o HostKeyAlgorithms=ssh-rsa \
  -t [email protected] poweroff

/config/configuration.yaml

shell_command: !include shell_commands.yaml

/config/shell_commands.yaml

nas_reboot: ssh -F /config/.ssh/config [email protected] "/root/config/scripts/nas_reboot.sh"
nas_shutdown: ssh -F /config/.ssh/config [email protected] "/root/config/scripts/nas_shutdown.sh"

Set the file permissions:

% ssh ha
chmod 700 /root/config/.ssh
chmod 600 /root/config/.ssh/id_rsa_HA
chmod 600 /root/config/.ssh/config
chmod +x /config/scripts/nas_reboot.sh
chmod +x /config/scripts/nas_shutdown.sh

Do the first login manually to build up known_hosts file and test SSH configuration:

% ssh ha
➜  ~ ssh-keyscan 10.10.10.10 >> /config/.ssh/known_hosts
➜  ~ docker ps -a
CONTAINER ID   IMAGE                                                      COMMAND      CREATED        STATUS         PORTS   NAMES
f187c7e759af   ghcr.io/home-assistant/qemux86-64-homeassistant:2025.7.4   "/init"      16 hours ago   Up 12 minutes          homeassistant
➜  ~ docker exec -it f187c7e759af /bin/bash
homeassistant:/config# ssh -F /config/.ssh/config [email protected]
The authenticity of host '10.10.10.18 (10.10.10.18)' can't be established.
ED25519 key fingerprint is SHA256:FBZoBinSQJCtRvOopqvcl6tJ2s4WFm2HS1T3THFNmv4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.18' (ED25519) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/config/.ssh/id_rsa_HA' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/config/.ssh/id_rsa_HA": bad permissions
no such identity: /config/.ssh/id_rsa: No such file or directory
homeassistant:/config# chmod 600 /config/.ssh/id_rsa_HA
homeassistant:/config# ssh-keygen -p -f /config/.ssh/id_rsa_HA -m pem
homeassistant:/config# ssh -F /config/.ssh/config [email protected]

:lock: Security comments & Suggestions

1. Sensitive Files Placement

  • If you’re using /config/pass/ssh_nas_pass.txt — this is readable by any add-on or integration with access to /config. Consider moving it to /root/.secrets/ssh_nas_pass.txt inside the Advanced SSH add-on, which is more isolated.

    :warning: You’ll then also need to update your scripts to reference the new path.

NOTE: If I put it in the container, the info will be lost when the add-on is updated. That’s why I took this risk.

2. Hardcoded Credentials in Scripts

  • The SSH password is still read in plain text via sshpass. If your NAS supports SSH key-based login, you should switch to using a key instead. That way:

    • You eliminate sshpass
    • You avoid storing passwords anywhere
    • You can lock down the key with from= in the authorized_keys on the NAS

If that’s not possible, consider restricting the NAS SSH user:

  • Create a dedicated NAS user for HA with limited rights (just reboot and poweroff)

  • Disable interactive shell for that user on the NAS (nologin shell or command-restricted keys)

  • Disable password auth on NAS if switching to key-based auth:

    PermitRootLogin prohibit-password
PasswordAuthentication no

NOTE: This is valid on a newer NAS. In my case this was not possible due to busybox and embedded linux.

3. Minimal Add-on Permissions

  • You’re already running Protection mode: off, which is required to access /root and /config. Keep that limited to this add-on only.
  • Also make sure SSH access is limited to LAN or VPN users only — do not expose SSH externally.
19

The solution for automatic SSH installation, even if the core is updated, is…

# We install the sshpass apk on each run because when we update the HA core, it gets lost, so we reinstall it on each call to the script in case it was lost.

apk add --update --no-cache sshpass

# Using sshpass, we connect to the computer and run the command

sshpass -p "xxxxxxxxxxxxxxxxx" ssh -o MACs=hmac-sha1 -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=ssh-rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null [email protected] "reboot"