Did you copy the ssh key from the user’s home directory into /confg
? Where is that key coming from?
created using in the ssh-keygen -t rsa command on the HA vm
Did you execute it as the homeassistant user?
You’ll need to do this inside the docker container.
forgive me my ignorence, but how do I know that I’m de home assistant user. I use the terminal option
whoami says I’m root
Sorry I only know the docker command to enter it docker exec -it <docker name> /bin/sh
if you have portainer installed there’s an “exec” option to get into a shell inside the docker container.
Hi Jim,
I tried this too, but got the same error.
Any other tips?
Thanks,
Rien
Try -i config/ssh/id_rsa
(without the starting /)
I had the same issue. I solved it this way https://github.com/defcon24bit/record-and-replay-RF-remote#create-certificate-on-ha. Let me know if this worked for you.
You dont have touchscreen to it?
As im also using the vcgencmd display_power commands
Seems that this topic is very confusing and frustrating for many. I too am trying to just simply run a command via a switch to start a pi video looper, I have just about looked at all posts relating to this topic and still not able to get this to work.
switch:
- platform: command_line
switches:
mediaplayer5:
command_on: "ssh -i /config/ssh/id_rsa -o 'StrictHostKeyChecking=no' [email protected] sudo supervisorctl start video_looper"
command_off: "ssh -i /config/ssh/id_rsa -o 'StrictHostKeyChecking=no' [email protected] sudo supervisorctl stop video_looper"
command_state: "ssh -i /config/ssh/id_rsa -o 'StrictHostKeyChecking=no' [email protected] sudo supervisorctl status video_looper"
friendly_name: "Media Player 5 - Large Projector"
The Command works logged in as root to home assistant via terminal session.
As far as I can tell there is no other user account being run as automation or from the dashboard.
Prep-work was to create the ssh keys from the Home Assistant (Non Docker)
ssh-keygen
ssh-copy-id [email protected]
On Home assistant via terminal i copied the .ssh folder
cp -R $HOME/.ssh /config/
mv .ssh ssh
Even found someone saying to create a config in the ssh folder:
ConnectTimeout 10
IdentityFile /config/ssh/id_rsa
UserKnownHostsFile /config/ssh/.known_hosts
Not sure more on this above config file where its being called…
When I toggle the switch it turns on, then off.
Looking at logs I see the errors:
Command failed: ssh -i /config/ssh/id_rsa -o 'StrictHostKeyChecking=no' [email protected] sudo supervisorctl start video_looper
Oh also tried the above link of resetting permissions
chmod 700 ~/ssh/
chmod 600 ~/ssh/*
The reason is in the execution contexts - SSH plugin and shell_command integration are executed in different containers.
The keys are made in the addon_core_sh container, and the SSH process is started in the homeassistant container.
You need to copy the .ssh folder from one container to another.
First, on the HassOS CONSOLE, exit the command line interface to the OS shell and then execute from there:
docker cp addon_core_ssh:/data/.ssh ./
docker cp .ssh homeassistant:/data/
And then
ssh -i /data/.ssh/id_rsa -o ‘StrictHostKeyChecking=no’ root@host
works.
Thank you for this clear explanation of the problem and the solution.
Using command_line integration I can now run shutdown commands on remote servers from the ssh terminal add-on.
One problem though is every time I do a core update, it seems the homeassistant container wipes the copied ssh keys.
To make things work I have to run the docker cp .ssh homeassistant:/data/ command again.
Sorry for the stupid question - how do I get onto the HassOS console?
I’ve installed it more than a year ago and hardly recall how to get into it for maintenance… The only thing I know how to use is the SSH & Web Terminal add-on, which as we’ve seen is not what I need lol
Nonetheless, the fact keys get wiped after an upgrade is still a bummer, it makes no sense to having to re-do configs on every update
EDIT I got it sorted by installing Apache in my computer and then adding a cronjob to execute the needed command every minute, outputting to the Apache-accessible folder; lastly, I added a
command_line
integration to HA which runscurl my-desktop-ip/result-file
Dirtiest solution possible, but…
This is clearly an old issue, but I wanted to update on this in case anyone else is hunting for this. Which might even be future me, given my current track record.
I followed these instructions (mostly the post from ndv27) to store my keys in /data/
the first time around, but got bit by the update wiping keys. I was also having issues copying files to the HA OS, which was read-only.
In the process of resolving this again, I actually encountered Home Assistant OS(VM) and ssh to remote server (Resolved) this time around, which has a different approach of storing the key in /config/
. It’s also alluded to in a few posts in this thread.
Essentially, you can put your SSH keys in /config/
, which is accessible from both the File editor and the Samba plugins. This is far easier to access - both good and bad. But, this way, you don’t have to migrate keys between containers and it doesn’t get wiped. You can also experiment with other folders visible from SMB to see if another one is more suitable. If you’re doing this, make sure you take extra steps to secure the keys from any other users on your network. I’d personally rather lock down HA OS than redo my system after updates.
And of course you can test the SSH connections yourself if you’ve got the HA OS SSH set up via all the extra steps with a docker exec -it homeassistant sh
command to enter the home assistant container. From there, you can runssh -i /config/.ssh/id_rsa -o 'StrictHostKeyChecking=no' MyHostName
to check your connection. You can also use tools like nslookup and ping to further troubleshoot connectivity.
My device has 2 GPIO relay devices and no onboard software to control them. So I ended up making a YAML configuration switch as a temporary measure while waiting for software to catch up. My configuration:
room_1_light:
command_on: "ssh -i /config/.ssh/id_rsa -o 'StrictHostKeyChecking=no' root@MyHostName -t 'echo 1 > /sys/class/gpio/gpio108/value'"
command_off: "ssh -i /config/.ssh/id_rsa -o 'StrictHostKeyChecking=no' root@MyHostName -t 'echo 0 > /sys/class/gpio/gpio108/value'"
command_state: "ssh -i /config/.ssh/id_rsa -o 'StrictHostKeyChecking=no' root@MyHostName -t 'if [ `cat /sys/class/gpio/gpio108/value` == 1 ]; then echo 0; exit 0; else echo 1; exit 1; fi'"
friendly_name: "Room 1 Light"
unique_id: "light.room_1_light"
room_1_fan:
command_on: "ssh -i /config/.ssh/id_rsa -o 'StrictHostKeyChecking=no' root@MyHostName -t 'echo 1 > /sys/class/gpio/gpio107/value'"
command_off: "ssh -i /config/.ssh/id_rsa -o 'StrictHostKeyChecking=no' root@MyHostName -t 'echo 0 > /sys/class/gpio/gpio107/value'"
command_state: "ssh -i /config/.ssh/id_rsa -o 'StrictHostKeyChecking=no' root@MyHostName -t 'if [ `cat /sys/class/gpio/gpio107/value` == 1 ]; then echo 0; exit 0; else echo 1; exit 1; fi'"
friendly_name: "Room 1 Fan"
unique_id: "fan.room_1_fan"
This gives me relay control and status all over SSH.
I have never really been a fan of allowing root access to a server as you can achieve the same results in a more controlled manner by doing the following:
create a config file in the /config/.ssh dir:
Host host
HostName 192.168.1.X
User user
IdentityFile /config/.ssh/id_rsa
Port 22
StrictHostKeyChecking no
which means your commands are now as follows:
command_on: "ssh host 'sudo echo 1 > /sys/class/gpio/gpio108/value'"
Note: make sure you chmod the .ssh dir as 700 and the everything in the .ssh dir as 600
If you are running sudo commands make sure you add the line to the sudoers file on the remote host:
user ALL = (root) NOPASSWD: /bin/echo 1 > /sys/class/gpio/gpio108/value
user ALL = (root) NOPASSWD: /bin/systemctl shutdown
user ALL = (root) NOPASSWD: /bin/systemctl poweroff -i
Note: user = 1000 host of remote server
Great tip for systems that allow it. I’m SSHing into some partially-liberated Android 8 wall panel that for some reason is resistant to SSH as any other user than root and doesn’t have various basic system binaries.
Long-term, it’d be great to transition to a solution using MQTT and hopefully a replacement AOSP rom. That’s the end goal, but that’s not really relevant to this conversation.
You can still allow root, but using PWD is not ideal.
If it shows ssh it’s most likely capable of supporting Public key Auth which will still allow for better layer of security.
Yes, i’m using the -i parameter in the commands above, which specifies the key file. Even had to go through the hassle of finding supported common algorithms since the recent OpenSSH deprecation of older ones knocked out a lot of what was supported in Android 8.
Oh yeah off-course I forgot about that
You should therefore be able to just specify +ssh-rsa as the option and you should be good
Host host
HostName 192.168.1.X
User user
IdentityFile /config/.ssh/id_rsa
Port 22
StrictHostKeyChecking no
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
For someone from the future learning from this thread, this is how I set up my comand_line switch using HASS 2024.8.3:
#configuration.yaml
command_line:
- switch:
name: Kodi
command_on: "ssh -o StrictHostKeyChecking=no -i /config/.ssh/id_ed25519 [email protected] 'sudo service xbmc start'"
command_off: "ssh -o StrictHostKeyChecking=no -i /config/.ssh/id_ed25519 [email protected] 'sudo service xbmc stop'"
command_state: "ssh -o StrictHostKeyChecking=no -i /config/.ssh/id_ed25519 [email protected] 'sudo service xbmc status | grep -q start'"
unique_id: "switch.rpi_kodi"
scan_interval: 60