I followed the above steps of PaFcio. Therefore I used ssh-keygen command on RPI terminal to generate id_rsa and id_rsa.pub.
So I currently have:
id_rsa and id_rsa.pub in RPI folder /home/pi/.ssh/
id_rsa.pub in RPI folder /home/pi/.ssh/known_hosts/
id_rsa and id_rsa.pub in home assistant folder /usr/share/hassio/homeassistant/ssh/
If I check the Log viewer after launching the command from Developers Tools in home assistant, I can see my command plus return code: 255
On which Pi, the remote Pi? When you ssh into the remote Pi from the Home Assistant terminal, do you need to enter a password? If yes, then you haven’t set it up correctly.
What you mean with “remote Pi” ? I ran the ssh-keygen command on the host machine basically, on which it is installed Docker.
Correct, if I ssh from home assistant terminal, then I have to insert the password to effectively execute the command.
May be shall I set up something in my configuration.yaml to “include” the ssh folder ?
Do you want to run the shell command on the same machine that you run home assistant on? If so, the procedure is different.
OK, I will recap my situation just to be sure that you can point me to the right procedure then:
raspberryPi_local_ip
raspberryPi_local_ip:8123 on browser in kiosk modeWhich one is the correct procedure then ?
You need to generate the ssh keys inside the docker container and copy the public key to the host, then you should be good to go
And he did, as he wrote via generating key from Hass.io terminal. There is one step that I forgot about in my short explanation, that is disabling password entry in ssh.
This additional step:
Edit /etc/ssh/sshd_config so that:
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
DO NOTE that by doing this you will not be able to log in via ssh password anymore and each and every machine you want to use to log in via ssh needs to be included by adding public key to known_hosts 
Then I misinterpreted this:
I assumed RPI terminal is the terminal on the host and not inside the hass.io container.
Seems that I misinterpreted as well, sorry. Poli88, you need to run that command in Hass.io terminal, not RPI terminal (you are generating key private and public key for machine that needs access to PI, not other way around). Please see previous post before my step-by-step explanation, Tinkerer explained that well there.
Hi Guys, so I followed again all the steps as above by generating the ssh keys from the Hassio terminal, but now if I run the command I get [email protected]: Permission denied (publickey).
What could be the issue 
?
You need to copy generated public key to known-hosts in RPI ssh folder. The public key generated via Hass.io terminal. I explained what command to use in Hass.io terminal to do that:
cp /.ssh/id_rsa /config/ssh/id_rsa and cp /.ssh/id_rsa.pub /config/ssh/id_rsa.pub
Ok I did some tests and finally sorted out the issue. I already followed all your steps, but was not enough.
Further to that, I had to add the public key to authorized_keys on RPI ssh folder. Moreover, I also modified PermitRootLogin no in my sshd_config. Now it finally works fine !! Thanks a lot for your help !!
I ran into this topic and just wanted to report back how I got it working, because there’s some misinformation.
The general principle for passwordless access from HA to another server:
From then on, you have passwordless access to the remote machine.
There is no need to store the private or public key from the remote machine on the HA machine.
(by which I mean, physically moving the files using scp)
However, things are a little more complex when running HA in docker.
In order to store the settings persistently, you do need some options in the ssh command.
I have HA running via docker-compose and have this volume: /home/pi/homeassistant:/config.
By default, a docker shell runs as root, meaning ssh certificates and known_hosts file are stored under /root/.ssh, which is not persistent after container restart, so you need to change that.
docker exec -it <container name> /bin/bash
/config, make a folder ssh (you can call this what you want):mkdir /config/ssh
ssh-keygen, but when it asks for the file location, make sure you type /config/ssh/id_rsa. Also, don’t use a password, otherwise you will never get passwordless access.ssh-copy-id. Because we didn’t use the default location for the key, we need to tell it where it is (-i flag):ssh-copy-id -i /config/ssh/id_rsa.pub <user>@<remote-ip>/root/.ssh/known_hosts, so we need to give it a different location again (with -o flag):ssh -i /config/ssh/id_rsa -o UserKnownHostsFile=/config/ssh/known_hosts <user>@<remote-ip>
You might get an error message saying: WARNING: UNPROTECTED PRIVATE KEY FILE!
This is because the keys were created by root.
This is quickly solved by:
sudo chmod 600 /config/ssh/id_rsa
sudo chmod 600 /config/ssh/id_rsa.pub
Now do step 5 again.
If all went well, now you have passwordless access.
You can now do stuff like:
ssh -i /config/ssh/id_rsa -o UserKnownHostsFile=/config/ssh/known_hosts <user>@<remote-pi> 'sudo poweroff' (on a remote Raspberry Pi)
Thank you a lot! This is very helpful.
Hello, unfortunately nothing helps to me. I am running preconfigured HA in virtualbox and it seems that .ssh and config folders are on different place. Seems like .ssh or /.ssh are not found by shell script.
To be expected, that’s why you have to put the SSH key in the config folder, and use the command line that tells it where to find the key.
I can send SSH commands through Terminal in HA (via the Terminal/SSH add on), but I cannot get any of these service calls to work. Any help would be much appreciated!!
This is in my configuration.yaml:
shell_command:
restart_pi: "ssh -l pi 192.168.1.74 'sudo reboot'"
reboot_test: ssh -l [email protected] 'sudo reboot'
test3: ssh -i /config/ssh/id_rsa -o 'StrictHostKeyChecking=no' [email protected] sudo reboot
test4: ssh -i /config/ssh/id_rsa -o 'StrictHostKeyChecking=no' [email protected] "sudo reboot"
test5: "ssh -i /config/ssh/id_rsa -o 'StrictHostKeyChecking=no' [email protected] sudo reboot"
test6: "ssh -i 'StrictHostKeyChecking=no' [email protected] sudo reboot"
test7: "ssh -i 'StrictHostKeyChecking=no' [email protected] 'sudo reboot'"
test8: ssh -i /config/ssh/id_rsa -o StrictHostKeyChecking=no [email protected] 'sudo reboot'
Well, only four of those have any hope of working. The ones that specify the path to the private key and that turn off the checking.
When it fails there should be some information in the log file detailing the problem.
I try to stop and start the surveillance package on my Synology via shell command from home assistant
Shutdown of my NAS is working perfect with
ssh -i /config/.ssh/id_rsa -o StrictHostKeyChecking=no [email protected] "echo password| sudo -S poweroff"
but if I do the same with following I get an error
ssh -i /config/.ssh/id_rsa -o StrictHostKeyChecking=no [email protected] "echo password| sudo -S synopkg stop SurveillanceStation"
error:
Password: sudo: synopkg: command not found
I’m not sure what I have to change either on the NAS or on my HA
If I logvi via ssh from my home assistant and using home_assistant_ssh as a user I can exectue the stop/start
The command “synopkg” can not be found!
You can simply try to use the full path for this command.