What is SSH and how to use it for controlling other machines
SSH is a powerfull command line-tool allowing you to connect to a remote machine and do basically what ever you want. Most people don’t know that SSH is not just a black window in which hackers put text in. It is also a way of sending a command to a remote machine without even typing anything.
Yes! you can shutdown or do anything you want with SSH (as long as you have the user name and password of that server). A good example would be shutting down remote server using this SSH command:
ssh firstname.lastname@example.org 'sudo reboot'
This command will effectively restart a machine with IP
192.168.1.2 machine. Cool but how do you
do that using Homeassistant? By using the command_line 1 component. This
is all fine and dandy but if you tried to connect to
donald using this
command you probably noticed that you needed a password for that. And now you have
probaly realised that you will not be able to add a password to the
command_line 1 component. Luckily for you can do SSH commands without
entering any passwords and yet still be safe at the same time. For this
feat you will need a public/private key pair that will be used to connect
to your remote machine without any passwords.
So where is the catch ?
In Hass.io 😞. After I migrated from Hassbian to Hass.io. I ran into an issue. This issue was that I could not do proper SSH commands to a computer running Hyperion 2. These issues with SSH were in fact caused by the concept of Docker isolation. This means that my Homeassistant instance was completely separated from my host machine, thus not allowing me to run executables such as SSH and others. Luckily official Homeassistant Docker image has SSH client installed to the container so this mean that I CAN call SSH commands, but yet again there is a catch. Can you guess what is that catch? As I mentioned before we NEED to authenticate ourselves using a password OR public/private key pair. So lets lets begin by making a public/private key pair.
Generating the Keys
in reality we need to generate ssh keys both on the FROM machine and the TO machine. Because this is the only way (in SSH) for BOTH machines can prove their identity to each other. In this tutorial a machine that we issue commands FROM will be called the MASTER & the machine and the machine executing commands SLAVE in our case MASTER is the machine running HASS.io instance.
What we will be doing?
In this tutorial we will make button in Homeassistant that when pressed will shutdown our SLAVE server via SSH. Basically it will apped a text file every time we press a button. This example will be a good starting point for controlling remote devices.
- Setup SSH connection to your HASSIO.io ResinOS host 3
In my case IP addreses were:
MASTER IP: 192.168.0.105, SSH port: 22222
SLAVE IP: 192.168.0.111
1. Make SSH keys both on MASTER and the SLAVE
Generate SSH keys on HASS.io homeassistant docker container
Connect to the MASTER. This will not work “out of the box” so first follow official tutorial 3 on how to connect to the HASS.io host running ResinOS
ssh email@example.com -p 22222
Now attach to the Homeassistant docker container. List available docker containers.
docker ps -a
find one looking something like
its CONTAINER ID looking something like
b7dfc2f4d0c4. Then attach to
docker exec -it b7dfc2f4d0c4 /bin/bash
now finally generate your SSH key, but this time in a different directory
mkdir /config/ssh ssh-keygen -t rsa -f /config/ssh/id_rsa
lets checkout our two brand new PUBLIC & PRIVATE keys
cd /config/ssh ls -al cat id_rsa.pub
if all went well you public key output should look something like this:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyiprxeHAAieq2YtiXhFgSQIhZwvY6zsPAhsNU/N6yJ+JptVJGWBNY0tAD4eQiSsl88Qe4ryWVmtnw83jUjDMZp24uRtEAPnPW3f9N8mbDnyCEtbYhIDn1KseL3SuRWyFzk0fcMExZfsXrxgZ5nD/yQKvjcHm52LrhDfauxYADItonBZA+6mXh0E1LBrk6gP884IpLLbT9xetW2ZLP6htJDTPc2k9qN1cRVj3DD5Ppfyct1FmfZcAyi3Ua2dPxzngI5RUsjLBaqP+3lluc7fJVYK7fhnGZ36E/JNEamlzktBuLG1+1G3wxCshMFFBBuLTHb7qhtueIBY/4+wduJlFD root@hassio
COPY this value it is your PUBLIC key we will use later!
For testing purposes lets create a user called
connect to your SLAVE machine
add a user called
sudo useradd mister.slave sudo sudo passwd mister.slave
this step may differ because unix based distros use different commands for enabling sudo on your user in my case (Debian 9)
I just had to write sudo when creating a new
This will require a password write something memorable. We will delete this user later anyways.
After creating a
mister.slave switch to it
sudo su mister.slave
Now that you became
mister.slave user lets finally make our SSH keypair
ssh-keygen -t rsa
Okay we have our keys setup but what about passwordless connection from MASTER?
Its easy we have to add the the public key we copied before to our SLAVE machines’
echo "PASTE YOUR MASTER KEY INSTEAD OF THIS TEXT" >> ~/.ssh/authorized_keys
On some systems
authorized_keys file must have specific unix permissions set
and it will fail silently if you do not add these permissions so lets do that.
Line below will only make the file readable and writable to our user
chmod 600 ~/.ssh/authorized_keys
Okay our connection should be good to go. So what we just did is we created a SSH key pair on both MASTER and the SLAVE machines & we installed MASTERS public key onto SLAVE. Now the SLAVE trusts the MASTER machine and allows it to connect without a password.
You will probaly be interested in running some commands with sudo without a password. For this
we will need add these lines to
You should be very careful when editing `/etc/sudoers` file one bad character could lock you out from the system forever!
Since visudo uses vim text editor it will require you to know some commands. Do not worry I will denote editor command like this:
[[ ]]. Everything in the
[[ ]] are editor
commands that you will have to type manually on your keyboard.
go to the bottom of the file
[[ shift + g ]] or simply [[ G ]]
enter insert mode
[[ i ]]
Paste this to the end of the file.
mister.slave ALL=(ALL) NOPASSWD: ALL
exit text editor and save contents
[[ :wq ]]
If all went well you should be able to run sudo commands without password, lets test it out!
Expected output should be
root. So if console printed
root and did not ask you for password congratz!
You can now run all sudo commands without a having to enter your users password.
2. Testing SSH connection MASTER → SLAVE
lets connect to our MASTER machine again
ssh firstname.lastname@example.org -p 22222
then lets issue a REBOOT command to our SLAVE
docker exec -it b7dfc2f4d0c4 /bin/bash ssh -i /config/ssh/id_rsa -o StrictHostKeyChecking=no email@example.com 'sudo reboot'
If all went well you congratz again you rebooted your
mister.slave from Homeassistant manually!
- -i /config/ssh/id_rsa
- Defines in which directory our private SSH key can be found
- -o StrictHostKeyChecking=no
- Says to your SSH client to not prompt you with warning messages or yes/no questions when host has changed 4.
keep in mind that
b7dfc2f4d0c4 is an unique id of my docker container yours will definetely vary!
if you are confused refer to steps we did in the beggining: “1.1 MASTER”
if your SLAVE rebooted you can continue to step: “3 Adding Homeassistant Components”
3. Adding Homeassistant Components
Add these lines to your
configuration.yaml file and then restart HASSIO
switch: - platform: command_line switches: test_ssh: command_on: "ssh -i /config/ssh/id_rsa -o StrictHostKeyChecking=no firstname.lastname@example.org 'sudo reboot'" friendly_name: Magic Test Switch
Now go to your Homeassistant dashboard and press your newly created button.
If you followed this tutorial thoroughly you should be good to seed to start for remote control via SSH. If you are
a begginer this guide is a hard and if you managed to reboot something from Homeassistant you should pat your self
on the back.
Personally I used this method for turning on effects on my Hyperion daemon. Also I am planning to make shutdown and reboot buttons
on other server I have at home. One thing to mention though is that you will not have any console output when you call
a remote command using
command_line component, so monitoring things on a remote machine is not possible. You can checkout my
HASSIO config file for further inspiration here 5