Ok I did some tests and finally sorted out the issue. I already followed all your steps, but was not enough.
Further to that, I had to add the public key to authorized_keys on RPI ssh folder. Moreover, I also modified PermitRootLogin no in my sshd_config. Now it finally works fine !! Thanks a lot for your help !! 
1 Like
I ran into this topic and just wanted to report back how I got it working, because there’s some misinformation.
The general principle for passwordless access from HA to another server:
- Create ssh keys without a password on the HA machine, using ssh-keygen (don’t type a password when it asks for it)
- Do ssh-copy-id on the HA machine, to update the authorized_keys file on the remote server
- Connect once, and answer yes to update the known_hosts file on the HA machine
From then on, you have passwordless access to the remote machine.
There is no need to store the private or public key from the remote machine on the HA machine.
(by which I mean, physically moving the files using scp)
However, things are a little more complex when running HA in docker.
In order to store the settings persistently, you do need some options in the ssh command.
I have HA running via docker-compose and have this volume: /home/pi/homeassistant:/config.
By default, a docker shell runs as root, meaning ssh certificates and known_hosts file are stored under /root/.ssh, which is not persistent after container restart, so you need to change that.
- Start a shell in the HA container:
docker exec -it <container name> /bin/bash - In
/config, make a folder ssh (you can call this what you want):
mkdir /config/ssh - Now execute
ssh-keygen, but when it asks for the file location, make sure you type/config/ssh/id_rsa. Also, don’t use a password, otherwise you will never get passwordless access. - Now push the public key to the remote machine using
ssh-copy-id. Because we didn’t use the default location for the key, we need to tell it where it is (-i flag):
ssh-copy-id -i /config/ssh/id_rsa.pub <user>@<remote-ip>
During this, it will ask you for the remote ssh password once (this is the last time). - Now the final, but important step: you need to connect once and answer the question yes to update the local known_hosts file. However, because you are root, it will store it again under
/root/.ssh/known_hosts, so we need to give it a different location again (with -o flag):
ssh -i /config/ssh/id_rsa -o UserKnownHostsFile=/config/ssh/known_hosts <user>@<remote-ip>
You might get an error message saying: WARNING: UNPROTECTED PRIVATE KEY FILE!
This is because the keys were created by root.
This is quickly solved by:
sudo chmod 600 /config/ssh/id_rsa
sudo chmod 600 /config/ssh/id_rsa.pub
Now do step 5 again.
If all went well, now you have passwordless access.
You can now do stuff like:
ssh -i /config/ssh/id_rsa -o UserKnownHostsFile=/config/ssh/known_hosts <user>@<remote-pi> 'sudo poweroff' (on a remote Raspberry Pi)
11 Likes
Thank you a lot! This is very helpful.
Hello, unfortunately nothing helps to me. I am running preconfigured HA in virtualbox and it seems that .ssh and config folders are on different place. Seems like .ssh or /.ssh are not found by shell script.
To be expected, that’s why you have to put the SSH key in the config folder, and use the command line that tells it where to find the key.
1 Like
I can send SSH commands through Terminal in HA (via the Terminal/SSH add on), but I cannot get any of these service calls to work. Any help would be much appreciated!!
This is in my configuration.yaml:
shell_command:
restart_pi: "ssh -l pi 192.168.1.74 'sudo reboot'"
reboot_test: ssh -l [email protected] 'sudo reboot'
test3: ssh -i /config/ssh/id_rsa -o 'StrictHostKeyChecking=no' [email protected] sudo reboot
test4: ssh -i /config/ssh/id_rsa -o 'StrictHostKeyChecking=no' [email protected] "sudo reboot"
test5: "ssh -i /config/ssh/id_rsa -o 'StrictHostKeyChecking=no' [email protected] sudo reboot"
test6: "ssh -i 'StrictHostKeyChecking=no' [email protected] sudo reboot"
test7: "ssh -i 'StrictHostKeyChecking=no' [email protected] 'sudo reboot'"
test8: ssh -i /config/ssh/id_rsa -o StrictHostKeyChecking=no [email protected] 'sudo reboot'
Well, only four of those have any hope of working. The ones that specify the path to the private key and that turn off the checking.
When it fails there should be some information in the log file detailing the problem.
I try to stop and start the surveillance package on my Synology via shell command from home assistant
Shutdown of my NAS is working perfect with
ssh -i /config/.ssh/id_rsa -o StrictHostKeyChecking=no [email protected] "echo password| sudo -S poweroff"
but if I do the same with following I get an error
ssh -i /config/.ssh/id_rsa -o StrictHostKeyChecking=no [email protected] "echo password| sudo -S synopkg stop SurveillanceStation"
error:
Password: sudo: synopkg: command not found
I’m not sure what I have to change either on the NAS or on my HA
If I logvi via ssh from my home assistant and using home_assistant_ssh as a user I can exectue the stop/start
The command “synopkg” can not be found!
You can simply try to use the full path for this command.
2 Likes
I tried but the same problem
If I log in with this user it works
You tried with the path from „/“ for synopkg?
Add full Path to synopkg (which synopkg should show the full path)
That is what I wrote here: https://community.home-assistant.io/t/running-a-shell-command-from-home-assistant-to-remote-linux-pc/135221/81
still the same issue
I guess it is more a rights problem with the ssh login
ah. I had the wrong path. seems to work now
Good to hear!
Hi! thank you for youe post, I’m trying to follow, and in stage 4 I’m getting this error:
bash-5.1# ssh-copy-id -i /config/ssh/id_rsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/config/ssh/id_rsa.pub"
mktemp: (null): No such file or directory
/usr/bin/ssh-copy-id: ERROR: failed to create required temporary directory under ~/.ssh
any idea what can be the sorceof the problem?
thanks!
Is pi a root user?
You could try and mkdir ~/.ssh first on the remote machine. I don’t remember if it already existed.
I would like to add, if someone is still encountering issues:
In my case the shell command couldn’t resolve local hostnames.
The terminal add-on could ssh to pi@raspberrypi, but the shell command was giving errors. Checked the log (debug) and saw that I had to use [email protected].***
Very Helpful!!! works!