HA – shell commands to RPI or other Linux machines, without the need to enter passwords !

Sometimes you just one to run a remote command from HA, on another machine. (RPI or other Linux machine)
When using shell_command within HA, you get confronted with the fact that you need to enter a password
on this remote machine to SSH into it, and also when you want to run a command as Sudo.
This article will explain on how to “bypass” this “issue”.

1. What is SSH ?
SSh is used to execute commands on a remote PC or to copy files (SFP) to/from that other machine,
just like you try to work on that machine itself. This becomes handy if the “other” machine it at another location
or does not have a screen attached.
More info about SSH can be found at  https://www.ssh.com/academy/ssh

From a terminal prompt, you type ssh username@remote_IP
Replace username with a valid username of the remote machine, with enough rights to remotely log in.
Replace remote_IP with the IP address (or DNS name) of this remote machine.
You will then be logged in on a terminal prompt that is running on the remote machine.
(You first need to enter a password, before the remote connection is established !)

When you get a “connection refused”, it means that SSH is not installed/configured on the remote machine.
You then need to physically login on the “remote machine”, and install SSH.
On Ubuntu (linux) this can be done by typing sudo apt-get install ssh

When you login remotely for the first time, you get a message about a fingerprint. You need to accept this !
(this will interchange a keys file between both machines, to secure future connections)
When the IP address of the remote machine changes, the fingerprint key is no longer valid.
You need to remove it from the machine from where you try to make a connection.
This can be done by: ssh-keygen -f “/home/username/.ssh/known_hosts” -R “remote_IP”
(replace username & remote_IP, like previously discussed above)

2. Establish SSH connection without the password prompt
When you want to use an SSH connection in an automation, one thing that prevents the automation from running correctly,
is the fact that a prompt appears, where you need to enter your password.
These steps will explains on how to “bypass” this …

A. Login to you HA via a browser.
B. Open “Terminal” (this should be an icon in the left-column of your HA)
C. Type cd /config/ssh
D. If you get a message “No such file or directory”, then do the following steps (otherwise skip to step L)
E. Type ls
F. If you get id_rsa and id_rsa.pub in the result, then go to step L.
G. Type mkdir /config/ssh (only when “No such file or directory” in step D).
H. Type ssh-keygen -t rsa -b 4096 (this can take a while)
I. When asked where to save the file, type /config/ssh/id_rsa
J. Just press <enter> at the following 2 question.
K. You will see a message that your public key is saved in /config/ssh/id_rsa.pub
L. Type ssh-copy-id -i /config/ssh/id_rsa username@remote_ip (replace username & remote_ip)
M. Type ssh -i /config/ssh/id_rsa username@remote_ip

What we now did, is (created if necessary and) copied the public RSA key to the remote machine.
Whenever you need to connect to the remote machine, just type the command from step M ,
instead of the regular ssh command. Using this command, you don’t need to enter a password !

3. Make sure we don’t need a password anymore for sudo commands
If you want to run a sudo command, you always need to enter your users’ password.
To “eliminate” this, just follow the next steps.
(You can also use this, without the steps in part 2, simply run these steps on the machine where
you want to bypass the sudo password)

A. Type sudo visudo
B. Almost at the end of the file, find the line with something like %sudo ALL=(ALL:ALL) ALL
C. Under this line, add the following: username ALL=(ALL) NOPASSWD:ALL (replace username)
D. Press <ctrl> and <x> together, you will get a message “save changed buffer ?”
E. Answer with Y
F. change the filename /etc/sudoers.tmp to /etc/sudoers (without a dot !)
G. Answer Y to all remaining questions

What we did here, is added your username to the sudoers group,
so you can run sudo commands without the need of entering your password.

4. The diffence
In the past, you typed ssh username@remote_ip sudo shutdown
Next, you needed to type your password 2 times: 1x for ssh login and 1x for the sudo shutdown command.

Now, you just type ssh -i /config/ssh/id_rsa username@remote_ip sudo shutdown
This command will login via SSH without asking for the password, and next do the sudo-command shutdown,
also without asking the sudo password.
This gives you the possibility to use these commands as a shell_command, without the need to enter the password.
(passing the password via stdin and stdout , does not work, this is the only way around it …)

This entry was posted in Blog, Home Assistant, Tutorials. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *