Remote ssh command: error 255

Configuration
21

sorry yes, shell command.
the logs say no mutual signature algorithm?

stderr: OpenSSH_9.7p1, OpenSSL 3.3.2 3 Sep 2024\r\n
debug1: Reading configuration data /etc/ssh/ssh_config\r\n
debug1: /etc/ssh/ssh_config line 22: include /etc/ssh/ssh_config.d/*.conf matched no files\r\n
debug1: Connecting to 192.168.0.101 [192.168.0.101] port 22.\r\n
debug1: Connection established.\r\n
debug1: identity file /config/.ssh/id_rsa type 0\r\n
debug1: identity file /config/.ssh/id_rsa-cert type -1\r\n
debug1: Local version string SSH-2.0-OpenSSH_9.7\r\n
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1-hpn14v5 Debian-5+deb8u7.netgear1\r\n
debug1: compat_banner: match: OpenSSH_6.7p1-hpn14v5 Debian-5+deb8u7.netgear1 pat OpenSSH* compat 0x04000000\r\n
debug1: Authenticating to 192.168.0.101:22 as 'hassio'\r\n
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory\r\n
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory\r\n
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory\r\n
debug1: SSH2_MSG_KEXINIT sent\r\n
debug1: SSH2_MSG_KEXINIT received\r\n
debug1: kex: algorithm: [email protected]\r\n
debug1: kex: host key algorithm: ecdsa-sha2-nistp256\r\n
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none\r\n
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none\r\n
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY\r\n
debug1: SSH2_MSG_KEX_ECDH_REPLY received\r\n
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:oB4XU6ZVNRZljTeaeFKxlSj+Hb+RW0Tffanx9JaqFz4\r\n
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory\r\n
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory\r\n
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory\r\n
debug1: Host '192.168.0.101' is known and matches the ECDSA host key.\r\n
debug1: Found key in /root/.ssh/known_hosts:1\r\n
debug1: rekey out after 134217728 blocks\r\n
debug1: SSH2_MSG_NEWKEYS sent\r\n
debug1: expecting SSH2_MSG_NEWKEYS\r\n
debug1: SSH2_MSG_NEWKEYS received\r\n
debug1: rekey in after 134217728 blocks\r\n
debug1: SSH2_MSG_SERVICE_ACCEPT received\r\n
debug1: Authentications that can continue: publickey\r\n
debug1: Next authentication method: publickey\r\n
debug1: Will attempt key: /config/.ssh/id_rsa RSA SHA256:JyOOXgXFq05iwbY1uiYJ3K5oyweKLGMMyKqB6cfCc04 explicit\r\n
debug1: Offering public key: /config/.ssh/id_rsa RSA SHA256:JyOOXgXFq05iwbY1uiYJ3K5oyweKLGMMyKqB6cfCc04 explicit\r\n
debug1: send_pubkey_test: no mutual signature algorithm\r\n
debug1: No more authentication methods to try.\r\[email protected]: Permission denied (publickey)."
returncode: 255
22

How did you generate your public key pair? Sounds like you used a weak algorithm.

Have you confirmed manually that this key works for the target server?

23

yes it’s a weak key, I believe that is all that will work with the readynas.
but it’s not exposed outside the local network so I’m not concerned with that.
Using the code from Terminal & SSH addon it all works fine ( I generated the key in HA Terminal & SSH).
It’s only when I try and run it from the shell it fails

24

If it works manually it should work as a shell command. In the manual mode add -vv to the ssh command and compare the output to the log above.

25

I think I’ve worked out the problem, I need a config file:

Host 192.168.0.101
    PubkeyAcceptedKeyTypes=+ssh-rsa
    HostKeyAlgorithms=+ssh-rsa

I have it in /root/.ssh and have copied it to config/.ssh
Terminal addon reads it from /root/.ssh, but I don’t think HA is reading it from either?

26

the -vv connection that works from teminal:

debug1: Next authentication method: publickey
debug1: Will attempt key: /config/.ssh/id_rsa RSA SHA256:HXFoAPg7I9wmYDBlu3tw+smlQGXG56QZmdSN++hl8tM explicit
debug2: pubkey_prepare: done
debug1: Offering public key: /config/.ssh/id_rsa RSA SHA256:HXFoAPg7I9wmYDBlu3tw+smlQGXG56QZmdSN++hl8tM explicit
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: /config/.ssh/id_rsa RSA SHA256:HXFoAPg7I9wmYDBlu3tw+smlQGXG56QZmdSN++hl8tM explicit
Authenticated to 192.168.0.101 ([192.168.0.101]:22) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: filesystem
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug1: Sending command: rnutil
debug2: channel 0: request exec confirm 1
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 87380
debug2: channel_input_status_confirm: type 99 id 0
debug2: exec request accepted on channel 0
rnutil>
27

The shell_command and the interactive logins aren’t using the same key. You can seen that in the debug output.

shell_command:
Will attempt key: /config/.ssh/id_rsa RSA SHA256:JyOOXgXFq05iwbY1uiYJ3K5oyweKLGMMyKqB6cfCc04 explicit\r\n

interactive:
Offering public key: /config/.ssh/id_rsa RSA SHA256:HXFoAPg7I9wmYDBlu3tw+smlQGXG56QZmdSN++hl8tM explicit

28

Thanks Martin,
I’ve sorted that (i’ve been trying a few things and must of messed that up) keys are correct but it’s still the same HA:

debug1: SSH2_MSG_SERVICE_ACCEPT received\r\n
debug1: Authentications that can continue: publickey\r\n
debug1: Next authentication method: publickey\r\n
debug1: Will attempt key: /config/.ssh/id_rsa RSA SHA256:HXFoAPg7I9wmYDBlu3tw+smlQGXG56QZmdSN++hl8tM explicit\r\n
debug1: Offering public key: /config/.ssh/id_rsa RSA SHA256:HXFoAPg7I9wmYDBlu3tw+smlQGXG56QZmdSN++hl8tM explicit\r\n
debug1: send_pubkey_test: no mutual signature algorithm\r\n
debug1: No more authentication methods to try.\r\[email protected]: Permission denied (publickey)."

Versus terminal:

debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Will attempt key: /config/.ssh/id_rsa RSA SHA256:HXFoAPg7I9wmYDBlu3tw+smlQGXG56QZmdSN++hl8tM explicit
debug2: pubkey_prepare: done
debug1: Offering public key: /config/.ssh/id_rsa RSA SHA256:HXFoAPg7I9wmYDBlu3tw+smlQGXG56QZmdSN++hl8tM explicit
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: /config/.ssh/id_rsa RSA SHA256:HXFoAPg7I9wmYDBlu3tw+smlQGXG56QZmdSN++hl8tM explicit
Authenticated to 192.168.0.101 ([192.168.0.101]:22) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: filesystem
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug1: Sending command: rnutil
debug2: channel 0: request exec confirm 1
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 87380
debug2: channel_input_status_confirm: type 99 id 0
debug2: exec request accepted on channel 0

have you any idea what the difference is between explicit and explicit\r\n?
or should I have my config file somewhere other than config/.ssh/
I’ve spent 2 days on this, I hate being beaten by this stuff.

29

I did as Martin suggested and upgraded the encryption to id_ed25519 and all is working now from the terminal AND the shell.
I have no idea why id_rsa would work from the terminal but NOT HA, but it’s working and I need a beer

1 Like
30

Good Morning,

on my HA i have a Problem with the logfile, i receive an ErrorMessage but the command works

Logger: homeassistant.components.shell_command
Quelle: /usr/src/homeassistant/homeassistant/components/shell_command/__init__.py:129
Integration: Shell Command (Dokumentation, Probleme)
Erstmals aufgetreten: 06:28:13 (1 Vorkommnisse)
Zuletzt protokolliert: 06:28:13
Error running command: `ssh -i /config/ssh_keys/id_rsa_homeassistant -o StrictHostKeyChecking=no [email protected] "shutdown -r now 2>/dev/null"`, return code: 255

NoneType: None

how can i delete the Error 255 Message?

br
Markus

31

do you need this part of the command?

32

Hi,

only for testing, but it doesn’t help an I’m delete it

33

I’m working through this for myself right now, and I believe my first challenge is that my HA is in a Docker container… so when I run the commands from the HA host system they’re good but within the container HA doesn’t have access to my .ssh key…

First, to get my bearings inside the container:

sudo docker exec -it homeassistant bash

I see no .ssh folders, I’m going to try just copying .ssh in from a host terminal:

sudo docker cp .ssh homeassistant:/root/.ssh

From inside the container, I see:

hapi:~# ls -la
total 24
drwx------    1 root     root          4096 May 24 19:51 .
drwxr-xr-x    1 root     root          4096 May 24 19:51 ..
-rw-------    1 root     root           175 May 20 23:17 .bash_history
drwx------    3 root     root          4096 Apr  3 02:02 .cache
drwx------    2 root     root          4096 Apr  3 02:02 .config
-rw-------    1 root     root             0 Feb 14 11:48 .python_history
drwx------    2 1000     1000          4096 May 24 16:58 .ssh

That would look happier after this, I think:

chown -R root:root .ssh

Now, trying my command from within the container:

/usr/bin/ssh root@libreelec "kodi-send --action=Play"

Yep, works… from within the container. I believe I don’t have to disable strict host key checking because I already copied in known_hosts which had the libreelec host approved.

It might help others, I was checking for failures by looking at:

cat home-assistant.log

in the host’s homeassistant configuration folder (instead of running across the house to see if it was working yet…)