SSH'ing from a command line sensor or shell command

Community Guides
, ,
62

Depends on the device. This guide helps you execute commands via password-less ssh from HA in automations and things. But unifi doesn’t offer password-less ssh for every device.

For example looking in the unifi app now I can add ssh keys for password-less ssh for the APs and switches in my house but the ssh option for the main console only lets me set a password for ssh. So if I wanted to reboot a unifi AP from an automation I could follow this guide and do that. But I couldn’t reboot my main console device this way.

So you’ll have to do some research. Basically as long as you can set up password-less ssh to a device then you can run commands on it from an automation. But if you have to enter a password then it won’t work.

1 Like
63

I had this working for ssh’ing into my Unifi APs for turning on/off the led and rebooting them. Something broke it and I’ve been burning hours trying to figure out how to get this functionality back. I just tried this guide and am still hitting a wall.

The thing is if I try the following command from Home Assistant inside the docker exe -it homeassistant bash or outside, I get prompted for a password:

ssh -o UserKnownHostsFile=/config/.ssl/known_hosts -i /config/.ssl/unifi_id_rsa -o HostKeyAlgorithms=+ssh-rsa [email protected]

If I try executing it from my FreeNAS server terminal (obviously with different paths), it asks for a password the first time to store the known_host but then logs in without a hitch. What am I missing??? I can’t ssh into my Router anymore either.

HELP! PLEASE!

64

I found out how to run ssh in verbose and got the following debug information:

bash-5.1# ssh -vv -o UserKnownHostsFile=/config/.ssl/known_hosts -o HostKeyAlgorithms=+ssh-rsa -i /config/.ssl/unifi_ap_id_rsa [email protected]                                                                                                                          
OpenSSH_9.0p1, OpenSSL 1.1.1o  3 May 2022                                                                                                                                                                                                                               
debug1: Reading configuration data /etc/ssh/ssh_config                                                                                                                                                                                                                  
debug2: resolve_canonicalize: hostname 10.1.11.3 is address                                                                                                                                                                                                             
debug1: Connecting to 10.1.11.3 [10.1.11.3] port 22.                                                                                                                                                                                                                    
debug1: Connection established.                                                                                                                                                                                                                                         
debug1: identity file /config/.ssl/unifi_ap_id_rsa type 0                                                                                                                                                                                                               
debug1: identity file /config/.ssl/unifi_ap_id_rsa-cert type -1                                                                                                                                                                                                         
debug1: Local version string SSH-2.0-OpenSSH_9.0                                                                                                                                                                                                                        
debug1: Remote protocol version 2.0, remote software version dropbear                                                                                                                                                                                                   
debug1: compat_banner: no match: dropbear                                                                                                                                                                                                                               
debug2: fd 3 setting O_NONBLOCK                                                                                                                                                                                                                                         
debug1: Authenticating to 10.1.11.3:22 as 'admin'                                                                                                                                                                                                                       
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory                                                                                                                                                                                        
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory                                                                                                                                                                                       
debug1: SSH2_MSG_KEXINIT sent                                                                                                                                                                                                                                           
debug1: SSH2_MSG_KEXINIT received                                                                                                                                                                                                                                       
debug2: local client KEXINIT proposal                                                                                                                                                                                                                                   
debug2: KEX algorithms: [email protected],curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c                                                                                                                                                                                                                                    
debug2: host key algorithms: [email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: [email protected],diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,[email protected]
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes256-ctr
debug2: ciphers stoc: aes128-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha1
debug2: MACs stoc: hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:VspYhqRDgs1WdMN0XJgMLLUq56dWZDYlNTFhFS8LrNw
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '10.1.11.3' is known and matches the RSA host key.
debug1: Found key in /config/.ssl/known_hosts:1
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /config/.ssl/unifi_ap_id_rsa RSA SHA256:FhJabx1by6kHaDgFIC4OgUZJLWOMiWrRnJNBWzS8YPo explicit
debug2: pubkey_prepare: done
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /config/.ssl/unifi_ap_id_rsa RSA SHA256:FhJabx1by6kHaDgFIC4OgUZJLWOMiWrRnJNBWzS8YPo explicit
debug1: send_pubkey_test: no mutual signature algorithm
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
[email protected]'s password:
65

This worked!!!

ssh -o UserKnownHostsFile=/config/.ssl/known_hosts -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa -i /config/.ssl/unifi_ap_id_rsa [email protected]

Can anyone tell me why… and what happened to cause this to be required?

66

It’s still not working for me, but i guess its my limited linux knowledge.

I placed the keys in config/ssh/ not in config/.ssh/ (what the “.” indicating?).

The problem is it’s saying that the Identity config/ssh/NameofKey is not accessible. What am i doing wrong?

When i use the -vv option i get the following

ssh -o UserKnownHostsFile=ssh/known_hosts -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa -i ssh/Unifi -o StrictHostKeyChecking=no [email protected]

[…]
,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: [email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,[email protected]
debug2: host key algorithms: rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes256-ctr
debug2: ciphers stoc: [email protected],aes128-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha1,hmac-sha2-256
debug2: MACs stoc: hmac-sha1,hmac-sha2-256
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-256
debug1: kex: server->client cipher: [email protected] MAC: compression: none
debug1: kex: client->server cipher: [email protected] MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:nT9GMjedViDiS76laJPeCUR3SkoEVVMYnmd8q8oyHxg
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host ‘192.168.1.6’ is known and matches the RSA host key.
debug1: Found key in ssh/known_hosts:1
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: ssh/Unifi RSA SHA256:+ISN7WhtRbkPkq2lc41WX9AcLHLxIfAE0ccYvHOcIgg explicit
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,rsa-sha2-256,ssh-rsa>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: ssh/Unifi RSA SHA256:+ISN7WhtRbkPkq2lc41WX9AcLHLxIfAE0ccYvHOcIgg explicit
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
[email protected]’s password:
debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
[email protected]’s password:
debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
[email protected]’s password:
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey,password).
bash-5.1#
*1 [docker] Tue 10-11 10:00

67

the dot (.) is a default linux system thingy, don’t know the full scope, but if you do a LS command it doesn’t show, it’s kind of hidden. Although with ‘ls -lah’ it does show. Just don’t worry about it.

If it is not accessible it is probably because it doesn’t have the appropriate rights. You could do a 'chmod 777 ./ssh/* to ensure it has all rights to check if this is the problem.

68

I did a chmod 777 (again), but that does not change it, i still get the

debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method

Solution: It was a wrong key :confused:
So problem solved!

1 Like
70

EDIT
wrong post sorry

71

I am going crazy with this… So what I’m trying to achieve is setting the volume with amixer -D pulse sset Master XX% with a shell_command. So documentation states it is run in the homeassistant container (when running HAOS).

Now, I ssh in with the Community Addon set up. Everything works. Volume can be changed with the command above. I can also docker exec -it homeassistant /bin/sh into the homeassistant container to reproduce the expected behavior with the shell_command. However, amixer is not available in this container, so I figured I’d need to ssh into the host machine to issue the command.

So first I (from within the homeassistant container) generated the keys and put them in the suggested /config/.ssh/ folder:
ssh-keygen -t rsa

Then copy those:
ssh-copy-id -i /config/.ssh/id_rsa3.pub -o UserKnownHostsFile=/config/.ssh/known_hosts2 [email protected]

/config # ssh-copy-id -i /config/.ssh/id_rsa3.pub -o UserKnownHostsFile=/config/.ssh/known_hosts2 [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/config/.ssh/id_rsa3.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
expr: warning: '^ERROR: ': using '^' as the first character
of a basic regular expression is not portable; it is ignored
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'UserKnownHostsFile=/config/.ssh/known_hosts2' '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

When trying to log in now via ssh -i /config/.ssh/id_rsa3 -o UserKnownHostsFile=/config/.ssh/known_hosts2 -vvv [email protected] I am still prompted for password as the verbose messages hint:

...
debug1: Next authentication method: publickey
debug1: Offering public key: /config/.ssh/id_rsa3 RSA SHA256:wEgsown5iv/rOd2qkCd19JE6Rxc/1hcqGPuL0VCoM44 explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
[email protected]'s password:

I tried swapping the docker0 interface address with the machine hostname jonibox too (so jonibox@jonibox) in both ssh and ssh-copy-id with negative results.

I am running out of ideas. How to debug this? Is there another option to set audio volume on hardware level from Automation or Node-Red?

72

Hi, I have strange behaviour with this one. Command line sensor has been working well for many months with these instructions. It still works now also but it has become really slow. Respond time is about one minute when i test using “sudo docker exec -it homeassistant bash”. Also same about one minute delay from HA Command line sensor also. I haven’t changed anything configuration in the meantime.

If i test same command outside from container with just SSH command no delay att all.

Any idea ? :slight_smile:

73

Instead I’d recommend telling ssh-keygen to store its generated ID file in /config/.ssh . You don’t have to put it in a folder called .ssh if you don’t want to, I just like the consistency. But you should put it in /config so it is preserved over updates.

For anyone getting “no such file or directory” error at this point: Automated SSH commands from HA - #13 by CentralCommand

74

Great post, but I can’t get it working. ssh continues to ask for a password.
-I generated the keys, without passwords
-copied the public to the Pi,
-create the known_host file
But after that for example these command still prompts for a password"

~ ssh -i /config/.ssh/id_rsa [email protected]

[email protected]'s password:

or

~ ssh -o UserKnownHostsFile=/config/.ssh/known_hosts [email protected] -i /config/.ssh/id_rsa 
[email protected]'s password:

What I’m missing? Running out of ideas

75

Did you add public key to the authorized_keys file?

76

Thanks for the suggestion. I’m new to SSH and didn’t see that in the instructions. So ssh-copy of the public key doesn’t do that?!
I will have a look where that file is.
Thanks for the tip!

77

@arkoko
Update: I got it working by just adding the public key to the authorization_key tag in the SSH and Web add-on configuration. Thanks for the hint :smile:

78

Does anyone else use a different ssh port?

I have correctly installed the addon and all of the above, including the Network SSH port config in the addon settings. Everything loads but whenever I then attempt SSH it always defaults to port 22 (which i have blocked in my firewall) and thus refuses connection.

image
image905×219 7.08 KB

image

The only way around this is to use -p in my ssh command and then SSH works fine:

ssh -o UserKnownHostsFile=/config/.ssh/known_hosts [email protected] -p 31002 -i /config/.ssh/id_rsa

While using -p is fine I would like to understand why HomeAssistant keeps defaulting to port 22 even though it is configured to use 31002

79

I “think” that you need to put the -p and -i before the destination and command, so try:

ssh -p 31002 -i /config/.ssh/id_rsa -o UserKnownHostsFile=/config/.ssh/known_hosts [email protected]

80

Hi Derek - thanks for your response …sorry i probably wasnt clear
the -p 31002 -i was working fine in that command.
I just cant understand why it is needed in the command string. I had changed the ssh config in HA to be port 31002, yet it keeps defaulting back to 22 unless -p is included.

81

Probably because that’s the default port for the SSH command.

82

In nearly said what @DerekO just has when you first posted but figured I was missing something.

You are SSHing from other devices into HA, so if HA is listening on a non standard port, you have to specify the port always.