Ssh login FROM homeassistant to remote computer (libreELEC)

Hi,

I have homeassistant running on one Pi3, and libreELEC (based on kodi) on another. I have set all my media stuff (TV, libreELEC, amplifier + stereo) on a z wave switch, so I can turn all off when not in use. But in order to properly shut down the libreELEC pi (as well as to control the TV through CEC via the libeELEC), I need to do ssh logins and send some commands.

As far as I could get with this, the problem is (I think?) that the homeassistant user cannot do… well something… My best guess? it’s a problem with running ssh FROM homeassistant.

I have set created files, e.g. for shutting down libreELEC (shutdownkodi.sh):

#!/bin/bash

sshpass -p 'MYPASSWORD' ssh [email protected] "shutdown -h now"

Which works just fine when I execute it from the terminal as user: pi. But when I change user to homeassistant, nothing happens. I made a script linking to a shell_command in home assistant, and this (of course?) doesn’t work either.

What I found weird is, I made other *.sh files, e.g. this one for sending a message to turn on a wifi enabled kettle I have:

#!/bin/bash

echo -e "HELLOKETTLE\nset sys output 0x4\nset sys output 0x80\n" | nc  192.168.0.20 2000

and that works fine, both from terminal and when I call the script I made within home assistant it turns on.

Which is why I though maybe the user “homeassistant” cannot use ssh? does that make sense? And if yes, can I change that?

I should note that libreELEC is installed as an image, so not on top of a full raspbian (it doesn’t have apt-get and a bunch of other stuff). This might be important, because many of the threads I found googling suggested using keys instead of password for ssh (which I do for all “full” raspbian’s I have running), but I can’t really get that to work on the libreELEC.

I don’t know too much about ssh.

But if you just want to turn off kodi (libreelec which i am using too) you can do this by adding it as a media_player to Home-Assistant like this:

media_player:
  - platform: kodi
    host: 192.168.1.28
    port: 8080
    name: Kodi
    username: !secret kodiusr
    password: !secret kodipass
    turn_off_action: shutdown 

Only thing you have to enable in kodi: Settings --> service settings --> Control
Then allow remote control via HTTP and give a username and password.

Then in HA you can use a script like this or use it in an automation:

 kodi_off:
    alias: "Turn Kodi Off"
    sequence:
      - service: media_player.turn_off
        data:
          entity_id: media_player.kodi

With the remote control enables you can do things in kodi with using json.
For example this is how i open an addon in kodi and select a specific item in that addon.
curl -i -X POST -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"Addons.ExecuteAddon","params":{"wait":false,"addonid":"plugin.video.surveillanceroom","params":{"action":"show_preview","camera_number":"2","id":"1"}},"id":2}' http://USERNAME:[email protected]:8080/jsonrpc

Are you using hassbian for that?

Btw. automating a root login might not be the best idea from a security view point, especially if you’Re hardcoding the password right into the script. I should use pre-shared keys for that if you have to actually ssh into the libreELEC.

Best bet though is to use media_player platform for that as @Mister-Espria already pointed out.

First of all I would strongly recommend switching from libreELEC because you properly gonna run into more issues like this if you don’t have full access to the OS. Something like RaspBMC or OpenELEC would be good I think.

For your SSH issue did you check the ssh config file and user / groups of your user?

Reference:
https://knowledgelayer.softlayer.com/learning/how-do-i-permit-specific-users-ssh-access

~Cheers

Ok sorry, long reply here. I played around a bit to see if I could make sense of everything.

Great idea, thanks a lot, turning off the kodi definitely works like this! I have also tried to make scripts that can turn on/off TV via kodi’s CEC (since I also use it for music, and don’t wat the TV on for that). What I tried to use was:

#!/bin/bash

sshpass -p 'libreelec' ssh [email protected] "echo 'on 0' | cec-client -s"

Which, again, worked when I ran as user pi, but not when running as homeassistant. Staying in your line of thought, I found on github, that:

http://localhost:8080/jsonrpc?request={"jsonrpc":"2.0","method":"Addons.ExecuteAddon","params":{"addonid":"script.json-cec","params":{"command":"activate"}},"id":1}

should turn on a TV connected to kodi through CEC, (I wasn’t sure about the syntax) so I tried using either:

- platform: command_line
  switches:
    tv_test:
      command_off: curl -i -X POST -H "Content-Type: application/json" -d ‘{“jsonrpc":"2.0","method":"Addons.ExecuteAddon","params":{"addonid":"script.json-cec","params":{"command":"standby"}},"id”:1}’ http://USER:[email protected]:8080/jsonrpc
      command_on: curl -i -X POST -H "Content-Type: application/json" -d ‘{“jsonrpc":"2.0","method":"Addons.ExecuteAddon","params":{"addonid":"script.json-cec","params":{"command":"activate"}},"id”:1}’ http://USER:[email protected]:8080/jsonrpc
```
or

```
- platform: command_line
  switches:
    tv_test:
      command_on: curl -i -X POST -H "Content-Type: application/json" -d http://USER:[email protected]:8080/jsonrpc?request={"jsonrpc":"2.0","method":"Addons.ExecuteAddon","params":{"addonid":"script.json-cec","params":{"command":"activate"}},"id":0}
      command_off: curl -i -X POST -H "Content-Type: application/json" -d http://USER:[email protected]:8080/jsonrpc?request={"jsonrpc":"2.0","method":"Addons.ExecuteAddon","params":{"addonid":"script.json-cec","params":{"command":"standby"}},"id":0}
```
I tried from the terminal, but I get errors. The first one just returns:
```
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 76
Cache-Control: private, max-age=0, no-cache
Accept-Ranges: none
Date: Wed, 05 Apr 2017 21:55:49 GMT

{"error":{"code":-32700,"message":"Parse error."},"id":null,"jsonrpc":"2.0"}
```
without doing anything (turning on the TV), the second one returns the same, but followed by three times:
```
{"error":{"code":-32700,"message":"Parse error."},"id":null,"jsonrpc":"2.0"}HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 76
Cache-Control: private, max-age=0, no-cache
Accept-Ranges: none
Date: Wed, 05 Apr 2017 21:39:21 GMT
```
Just for the heck of it, I tested your exact code (in terminal), and that gives the same error (as the first). Running in homeassistant gives the following in the log (where the position in question is the colon in `"Content-Type: application/json"`):
```
17-04-05 22:28:59 ERROR (Thread-1) [homeassistant.util.yaml] mapping values are not allowed here
  in "/home/homeassistant/.homeassistant/switches.yaml", line 45, column 53
17-04-05 22:28:59 ERROR (MainThread) [homeassistant.bootstrap] Error loading /home/homeassistant/.homeassistant/configuration.yaml: mapping values are not allowed here
  in "/home/homeassistant/.homeassistant/switches.yaml", line 45, column 53
```

@cgtobi 
I know, it's not optimal, but this was the solution I could think of. As mentioned, I can't setup the keys for ssh on the libreelec (that I use for ssh to other systems). I thought that since the libreELEC is such a blunted system, and I hopefully secured my home assistant well enough (using two-factor authentication for ssh login to that, and using let's encrypt ssl certificates for remote access), I could live with this.

@PhyberApex
I looked a bit into which one to chose a while back, and it seemed that a lot of the top developers for openELEC left to start libreELEC, and it also seemed that libreELEC was more up to date (i.e. currently being developed when I installed). I tried OSMC, but I hadn't heard of RaspBMC, I might give that a go.

I don't have any Allow/Deny Groups/Users in the `/etc/ssh/sshd_config`, does that default to "everyone has access"? Or should I specifically set up `AllowUsers pi homeassistant`, or something like that?

According to the LibreELEC FAQ it is perfectly fine to use preshared keys to authenticate for an ssh login.

Create and push an SSH public key to the box, then disable SSH password authentication in the settings add-on. If you’re going to use SSH regularly the second option is best as SSH keys offer much better protection than passwords.

If you have ssh access into the media machine, PLEASE use ssh keys for authentication, and on the remote machine you are sshing into, limit what the key can do and from where via the authorized_keys file. ssh is amazingly easy to use for remote automation, once you understand and use the provided framework for user keys.

1 Like

I do use ssh keys or two-factor authentication for every other machine than this. But you guys are right, it can work for libreELEC as well. Apparently I hade some problems when using wget to pull my publickey, and i didn’t check this before trying to disable ssh password.

So that was a big long post about nothing really, just a mess when trying to use wget to pull a file. Sorry about that, and thanks for all the help and suggestions.

For closure, and if anyone finds themselves with similar issues:
Now I have a unique ssh key pair only for the homeassistant-to-libreELEC ssh (created the privatekey as homeassistant user, and chmod 600).

I made a switch in home assistant to control the TV via the libreELEC, in the swtiches.yaml file:

- platform: command_line
  switches:
    tv_kodi:
       command_on: ssh -i /home/homeassistant/connection/privatekey_libreelec [email protected] "echo 'on 0' | cec-client -s"
       command_off: ssh -i /home/homeassistant/connection/privatekey_libreelec [email protected] "echo 'standby 0' | cec-client $
       friendly_name: TV

It works just fine, but with a few (~3-4) seconds delay, and the on/off icon in homeassistant doesn’t change (there is always light in the “on”). But all in all, this works as intended. (I know I can just use the media_player.tv for turning off, but for turning on, and perhaps other future controls, CEC works now). Now I just have to figure out how to make the button on the homeassistant media player control for the TV use these instead of the default (always another project :slight_smile: )

1 Like

Actually I didn’t find this conversation no pointless at all. It’s always worth documenting a solution. Glad it works for you now.

1 Like

My situation is quite similar:

  • two RPi with Libreelec (Kodi)
  • first RPi with HA in Docker
    How to open SSH without entering password manually from one Rpi to another?

Update:
Found a solution here:

  1. Run a command:
    ssh-keygen

Output:

Generating public/private rsa key pair.
Enter file in which to save the key (/storage/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): PRESS ENTER
Enter same passphrase again: PRESS ENTER
Your identification has been saved in /storage/.ssh/id_rsa.
Your public key has been saved in /storage/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The key's randomart image is: 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  1. Run a command:
    cat ~/.ssh/id_rsa.pub | ssh root@IP_ADDRESS_OF_DESTINATION ‘mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys’

  2. Run SSH without a password:
    ssh root@IP_ADDRESS_OF_DESTINATION

Output:

##############################################
#                 LibreELEC                  #
#            [https://libreelec.tv](https://libreelec.tv/)            #
##############################################
LibreELEC (official): 9.2.4 (RPi2.arm)

RPi-1:~ #
  1. To run a command remotely:
    ssh root@IP_ADDRESS_OF_DESTINATION ‘COMMAND’