If you’re going to do the ssh thing as you have it you should really set up a key to login via ssh, and in the authorized_keys file put a restriction on the commands that can be executed when using the key. When I do it, I restrict the host being logged into to only allowing a single command to be executed and then instead of passing the path to the specific command I want to execute on the ssh host I simply pass an argument that is interpreted by the ssh host shell command to run the desired command.
So in the HA terminal window you can generate a keypair via
ssh-keygen -b 2048 -t rsa
Then you push the public key from this pair to the host you need to run the commands on via running the following in the HA terminal window:
ssh-copy-id [email protected]
You can then verify this worked by doing the following in the HA terminal window:
ssh [email protected]
This should log you in without asking for a password. Assuming it does log back out with exit.
Next on the ssh host you pushed the key to you can edit /home/pi/.ssh/authorized_keys and modify the line that was placed in this file by ssh_copy_id. You want to pre-append the following to the beginning of the line:
command="/usr/share/hassio/homeassistant/os-support-apps/local_ctrl $SSH_ORIGINAL_COMMAND",no-port-forwarding,no-x11-forwarding,no-agent-forwarding
The resulting line looks something like this:
command="/usr/share/hassio/homeassistant/os-support-apps/local_ctrl $SSH_ORIGINAL_COMMAND",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLUQh4g54XYM0HMBklLfKlPg6lmxgg7Y/bGmsO9bGb5eSJMiyydLVyhEz5h9Z+ssgDvoH88B68xRd2UG9Xrf9bJtATvhzLfs5prlTh+Qa4OSG7tEJ020XE+jCPVBfD3wTGt05GM2YJPBKGGx7r8LGPxX+k8DKgti/SI7gTN0MkhbqSM7OgjuR9KJBlyn+GbbFxsrO6ML1ducL6/gkkGtbstTaC5xriQgJ3oTQKBvsvwjBy6ITTzQ/Q11IoBplsTEib8MeBXsT7fcjXZIG7ZzP8AbdgesjsqRqs5SWFs+VxmQhkYS+gzfVOs2/kxQSGx0FoYwaAdF1UkHskzvGAuHJsMUuP4fI7eG+pl3l0JIcpi6Kine2k+FjDocUcN5Pf0i6TyAjYNl8q/ZCQdfOKCP8Ol1FW/mGYt+7DeailPnikd4tTokZ0NsP1x5g5ph/ZZwv1Ca0eqDTEoE/z+WFZxAyQ3NuYFgerRdZs+m19Udr/KCdPArwoDYZNM/jeM= root@core-ssh
The command that get’s executed now when you login with the key is /usr/share/hassio/homeassistant/os-support-apps/local_ctrl. The long string is the public key and will be different, my intent is to just give you an idea of what the full line in authorized_keys looks like.
That line will only allow the script /usr/share/hassio/homeassistant/os-support-apps/local_ctrl to be run when the use logs in and it will pass the command line argments passed on the ssh line to the script local_ctrl. For me the script file /usr/share/hassio/homeassistant/os-support-apps/local_ctrl is used to start and stop a VPN. Here’s it’s content:
#!/bin/bash
#exec 0<&- 1> >(logger -t $(basename $0) >/dev/null 2>&1) 2>&1
echo Received: $@
if [ $1 == "start_vpn" ]; then
# Just incase make sure any existing tunnel is shut down
sudo killall openvpn >/dev/null 2>&1
# Now start tunnel that gives remote access when celluar is active
sudo openvpn --daemon --config /etc/openvpn/client/phome.conf
elif [ $1 == "stop_vpn" ]; then
sudo killall openvpn
else
echo Request $1 unknown
fi
It uses the first command line argument to tell it if it’s starting or stopping the VPN.
So then in my shell_cmds directory I have another shell command called local_ctrl that looks like this:
#!/bin/bash
ssh -o StrictHostKeyChecking=no [email protected] $1
You probably notice above I don’t specify the command on the ssh host I want to run, and that’s because it will only run the one command in the authoried_keys file.
In the HA terminal window I can test this command by running it:
/config/shell_cmds/local_ctrl start_vpn
Assuming everything is right my VPN is started. You could modify this to execute your awning commands.
The shell_command line then looks like this
shell_command
awning_ctl: '/config/shell_cmds/local_ctl {{ cmd }}'
Then a script to run this would look something like this:
start_vpn:
alias: start_vpn
sequence:
- service: shell_command.local_ctrl
data:
cmd: start_vpn
mode: single
Hope this helps.