Secure ssh setup. (limiting remote ssh commands to a single ssh key)

I’m missing some written documentation how to make the best of ssh with as limited access as possible.
ssh can be used for shell_command execution and command_line sensor.

In this setup a single ssh private key is bound to a single command on the ssh host.
So no other access is granted. making your system more secure.

create a ssh connection to home assistant using the ssh addon. Or go to the ha docker file location
0) make a dir for ssh keys.
for example /config/ssh

  1. generate a ssh key with ssh-keygen set the right location don’t use a password.
# ssh-keygen 
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519): /config/ssh/forumexample
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /config/ssh/forumexample
Your public key has been saved in /config/ssh/
The key fingerprint is:
SHA256:wiXpt/Yit1aLNodIPx80HIMP9QduoiyjHVp84kB/6OE root@a0d7b954-ssh
The key's randomart image is:
+--[ED25519 256]--+
|          . .    |
|       . o o .   |
|    . o + + + .  |
|   . = = = = .   |
|    . # S =      |
|     X.@ o..     |
|    o.Eoo+..     |
|      [email protected].     |
|       =.Bo      |
  1. copy the ssh key to your ssh machine. use your ssh username and password.
config # ssh-copy-id -i /config/ssh/forumexample [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/config/ssh/"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

config # 
  1. Now in the .ssh/knowhosts the ssh-key is added. (the last line)

Edit this line to bind to the command you want.

command="/usr/local/bin/",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFyDo4oV720A+3hwwueDcBXNQc/v4UYYjHZ81HoO5XPV root@a0d7b954-ssh

Now if you make a ssh connection using the generated key the assigned key is executed and no other access is possible. (-o StrictHostKeyChecking=accept-new is required because haos does not store the hostkey)

"ssh -i /config/ssh/forumexample -o StrictHostKeyChecking=accept-new [email protected]"


you can use parameters by adding $(cat) in the command

command="/usr/local/bin/ $(cat)",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFyDo4oV720A+3hwwueDcBXNQc/v4UYYjHZ81HoO5XPV root@a0d7b954-ssh

and use echo at the home assistant side.

echo "this_is_a_parameter" | ssh  -o StrictHostKeyChecking=accept-new -i /config/ssh/forumexample [email protected]


   setaggi_finished: "ssh -i /config/ssh/forumexample -o StrictHostKeyChecking=accept-new [email protected]"
   an_example_with_parameter: "echo {{{{states('input_text.somevalue')}} |  ssh -i /config/ssh/forumexample -o StrictHostKeyChecking=accept-new [email protected]"

  - sensor:
      command: ssh -i /config/ssh/forumexample -o StrictHostKeyChecking=accept-new [email protected]
      name: linux_ssh_sensor

note: homeassistant doesn’t like it when shell commands get to long. use a bash shell script instead.