I’m missing some written documentation how to make the best of ssh with as limited access as possible.
ssh can be used for shell_command execution and command_line sensor.
In this setup a single ssh private key is bound to a single command on the ssh host.
So no other access is granted. making your system more secure.
create a ssh connection to home assistant using the ssh addon. Or go to the ha docker file location
0) make a dir for ssh keys.
for example /config/ssh
- generate a ssh key with ssh-keygen set the right location don’t use a password.
# ssh-keygen
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519): /config/ssh/forumexample
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /config/ssh/forumexample
Your public key has been saved in /config/ssh/forumexample.pub
The key fingerprint is:
SHA256:wiXpt/Yit1aLNodIPx80HIMP9QduoiyjHVp84kB/6OE root@a0d7b954-ssh
The key's randomart image is:
+--[ED25519 256]--+
| . . |
| . o o . |
| . o + + + . |
| . = = = = . |
| . # S = |
| X.@ o.. |
| o.Eoo+.. |
| [email protected]. |
| =.Bo |
+----[SHA256]-----+
- copy the ssh key to your ssh machine. use your ssh username and password.
config # ssh-copy-id -i /config/ssh/forumexample [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/config/ssh/forumexample.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
config #
- Now in the .ssh/knowhosts the ssh-key is added. (the last line)
Edit this line to bind to the command you want.
command="/usr/local/bin/yourscript.sh",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFyDo4oV720A+3hwwueDcBXNQc/v4UYYjHZ81HoO5XPV root@a0d7b954-ssh
Now if you make a ssh connection using the generated key the assigned key is executed and no other access is possible. (-o StrictHostKeyChecking=accept-new is required because haos does not store the hostkey)
"ssh -i /config/ssh/forumexample -o StrictHostKeyChecking=accept-new [email protected]"
Parameters.
you can use parameters by adding $(cat) in the command
command="/usr/local/bin/yourscript.sh $(cat)",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFyDo4oV720A+3hwwueDcBXNQc/v4UYYjHZ81HoO5XPV root@a0d7b954-ssh
and use echo at the home assistant side.
echo "this_is_a_parameter" | ssh -o StrictHostKeyChecking=accept-new -i /config/ssh/forumexample [email protected]
examples:
shell_command:
setaggi_finished: "ssh -i /config/ssh/forumexample -o StrictHostKeyChecking=accept-new [email protected]"
an_example_with_parameter: "echo {{{{states('input_text.somevalue')}} | ssh -i /config/ssh/forumexample -o StrictHostKeyChecking=accept-new [email protected]"
command_line:
- sensor:
command: ssh -i /config/ssh/forumexample -o StrictHostKeyChecking=accept-new [email protected]
name: linux_ssh_sensor
note: homeassistant doesn’t like it when shell commands get to long. use a bash shell script instead.