SSH into HassOS

I’m trying to enable ssh ability into the HASSOS. But I can’t get it to work.

I have generated the ssh key and moved it onto a thumb drive and named the file authorized_keys. I’ve tried restarting the pi and using the “Import from USB”. But I get the error “Permission denied (publickey).”

This is the results I get when I use -vT while trying to ssh.

HassOS version 1.13
HASSIO version 0.84.1

$ ssh -vT [email protected] -p 22222
OpenSSH_7.6p1, LibreSSL 2.6.2
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to 192.168.1.5 port 22222.
debug1: Connection established.
debug1: identity file /Users/me/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /Users/me/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/me/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/me/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/me/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/me/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/me/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/me/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug1: Remote protocol version 2.0, remote software version dropbear_2018.76
debug1: no match: dropbear_2018.76
debug1: Authenticating to 192.168.1.5:22222 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:AAgfg/z1sAoEVLTurFjCwhhJWhRMAHSGT2UTYJadKhw
debug1: checking without port identifier
The authenticity of host '[192.168.1.5]:22222 ([192.168.1.5]:22222)' can't be established.
ECDSA key fingerprint is SHA256:AAgfg/z1sAoEVLTurFjCwhhJWhRMAHSGT2UTYJadKhw.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.1.5]:22222' (ECDSA) to the list of known hosts.
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:uMhiECkURCEQPIcX6lRly4X0h2uXYmpyt9OUwjaWk6s /Users/me/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/me/.ssh/id_dsa
debug1: Trying private key: /Users/me/.ssh/id_ecdsa
debug1: Trying private key: /Users/me/.ssh/id_ed25519
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).
1 Like

you have the authorized_keys in the .ssh directory on the hass box?

I’m using hassio. So I put the public key in a file called authorized_keys on a thumb drive. I don’t have direct access to the .ssh directory.

oh yeah, I don’t know how hassio works, I have my HA set up using regular docker on a ubuntu server

1 Like

Do you have any news? I’m in the same situation…

And the log:

core-ssh:~# ssh -vT [email protected] -p 22222

OpenSSH_7.7p1, LibreSSL 2.7.4
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 192.168.1.89 [192.168.1.89] port 22222.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_xmss type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.7
debug1: Remote protocol version 2.0, remote software version dropbear_2018.76
debug1: no match: dropbear_2018.76
debug1: Authenticating to 192.168.1.89:22222 as ‘root’
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: n one
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: n one
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:/np/YfyBy7St0ADQ4Mh5V0iILOmQ /xvd967EjpSqOgY
debug1: Host ‘[192.168.1.89]:22222’ is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Trying private key: /root/.ssh/id_xmss
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).

1 Like

no one? how do you enable SSH access to the HASSIO OS (not the docker, i have that). I’m having the same issue. I’d rather not have to remove my raspberryPi and connect monitor and keyboard to it… which I’m not sure if that works anyways?

https://developers.home-assistant.io/docs/en/hassio_debugging.html#hassos-based-hassio

1 Like

thanks @flamingm0e i didn’t read that close enough. So i need to shutdown my Pi, remove SD card, mount, copy file/details as per your link, then put back SD and boot Pi again.
Should have password allowed by default to save this step.

Huh?

It literally says none of that.

Use a USB drive formatted with FAT, ext4, or NTFS and name it CONFIG (case sensitive). Create an authorized_keys file containing your public key, and place it in the root of the USB drive. From the UI, navigate to the hass.io system page and choose “Import from USB”. You can now access your device as root over SSH on port 22222. Alternatively, the file will be imported from the USB when the hass.io device is rebooted.

1 Like

:blush: I need to get some more sleep. I completely slipped that part and read the next section which talks about SD cards not USB drive. Thanks for saving me from myself!

Sdcard method was for the old ResinOS based version

I’m having a similar issue, every time I try to do a SSH to the OS to attempt to change the WiFi configuration:

$ ssh [email protected] -p 22222
ssh: connect to host hassio.local port 22222: Connection refused

I don’t have issues doing SSH to regular port, below the version I’m using:

core-ssh:~# hassio host info
chassis: embedded
cpe: cpe:2.3:o:home_assistant:hassos:2.12::production::::rpi3-64:*
deployment: production
features:

  • reboot
  • shutdown
  • services
  • hostname
  • hassos
    hostname: hassio
    kernel: 4.14.98-v8
    operating_system: HassOS 2.12

core-ssh:~# hassio info
arch: aarch64
channel: stable
hassos: “2.12”
homeassistant: 0.95.4
hostname: hassio
logging: info
machine: raspberrypi3-64
supervisor: “167”
supported_arch:

  • aarch64
  • armv7
  • armhf

Because that’s the add-on. It’s a separate container.

Did you configure HassOS for SSH?

Hi, I configured the add-on and added my public key and docker SSH is working, is there a separate instruction to configure HassOS for SSH, if so could you please refer me to the instructions?

The add-on isn’t the host OS…

https://developers.home-assistant.io/docs/en/hassio_debugging.html#ssh-access-to-the-host

I pulled my hair for 2 days with the exact same thing, turned out that what you need to copy in authorized_keys has to come straight from PuTTyGen without saving first to disk or it will have the wrong format

2 Likes

There it is stated: “You will initially be logged in to Hass.io CLI for HassOS where you can perform normal CLI functions. If you need access to the host system use the ‘login’ command.”
So my understanding is that you gain access to HassOS through the docker. I guess it is not possible to directly SSH HassOS. Is that correct?

That is incorrect and instructions for how to set up the host ssh access has been posted a few times in this thread.

Thanks for the clarification but actually it does not add up despite the few times this has been posted in this thread.

According to the Docker architecture, applications —like SSH server, are always part of the user space. The only way to not get this to happen is by installing applications on the the host OS, see here. There an SSH server could be installed on the host OS (Windows for instance) and so outside the Docker user space.

To my understanding, the Buildroot used here is not configured to support an SSH server. Obviously this has nothing to do with HassOS as it is just the Docker hypervisor. In other words, the only way to get a SSH server running outside the Docker user space is to have it running hosted by the pre-build image based on ResinOS. More here. A way to proof that this is not happing is by following the instructions given above to gain access to the host HassIO system (ResinOS) by running the login command and then command sysctl docker stop. This will not only brings down the Docker hypervisor, as expected, but also the SSH connection and the system, leaving a cold-restart as the only option for recovering access to it.

I could be completely wrong here therefore I would like to be enlighten about how to gain access to the ResinOS and bring down the Docker hypervisor (HassOS) without loosing SSH connectivity.

resinOS hasn’t been in use for over a year. And even when it was, the host ssh is already existing and active over port 22222. You only need to add the authorized keys file. Home Assistant OS (the current buildroot base) has the same existing setup.

https://developers.home-assistant.io/docs/hassio_debugging/#ssh-access-to-the-host