execute.Command.Line not working

Setup, Configuration and Use Beginners
1
  • Platform information:
    • Hardware: Intel i5
    • OS: Ubuntu 24.04
    • Java Runtime Environment: 17
    • openHAB version:4.3.0
      I know that failures to run command line from within Openhab have been discussed many times, I tried to follow all the recommendations but still cannot get it to work

I want to run a bash script, startmm, from within Openhab

Bash script

#!/usr/bin/bash
sshpass -ppasword ssh user@server 'bash -s' < /etc/openhab/scripts/startmm.sh

The startmm.sh script is

#!/usr/bin/bash
/usr/bin/pm2 start mm

User openhab owns all the scripts

Everything works as expected when running the script from the comman line as user automation and I get the following response

script cl
script cl975Ă—270 7.57 KB

In Openhab I have the following rule

var result = actions.Exec.executeCommandLine(time.Duration.ofSeconds(3), "/etc/openhab/scripts/startmm");
console.log(result);

When I run the rule the logged result is blank and the command does not get executed on the remote server.

On the remote server I see closing of the SSH connection but not opening

Feb 15 20:20:05 pi-mirror sshd[9080]: Connection closed by 192.168.0.98 port 42692 [preauth]                            
Feb 15 20:21:10 pi-mirror sshd[9135]: Connection closed by 192.168.0.98 port 40054 [preauth]                            
Feb 15 20:25:45 pi-mirror sshd[9325]: Connection closed by 192.168.0.98 port 39794 [preauth]

Any suggestions?, thank you

2

First, please do not use /etc/openhab/scripts/ as a directory for bash scripts, as it’s meant only for *.script files (DSL scripts, that can be called via callScript("name") from DSL rules).
Second, you’ll have to use the exact name. If the script is named startmm.sh, you’ll have to use startmm.sh, not startmm.

Would be better to use public/private key to control the remote machine.

3

Thanks.

Apart from not being best practice, does it create a problem to place the files in /scripts?

There are two different scripts, one is startmm.sh which is the script that gets passed on to to SSH and there is an executable script startmm which is what Openhab should execute.

I tried using public/private keys and got errors, using the passssh might not be optimal but I know it works. Once I can get Openhab to succeed in running the script I can work on making the connection more secure.

Carlos

4

you might try adding it to the exec.whitelist if you have not already done so.

5

The exec.whitelist seems to be used for the exec binding, I am not using the exec binding, I am using execCommandLine in JS scripting.

6

After doing some more testing it looks like openhab cannot run the script

sudo -u openhab /etc/openhab/scripts/startmm

fails even though openhab owns the executable script


-rwxr-xr-x 1 openhab openhab 106 Feb 15 17:37 startmm
-rwxr-xr-x 1 openhab openhab 105 Feb 15 17:37 stopmm

/etc/openhab/scripts/startmm

succeeds logged in as user automation.

7

you might try updating the sudoers file to allow openhab user to run with root for that script perhaps.
some thing like this in your sudoers file
openhab ALL=NOPASSWD: /etc/openhab/scripts/startmm
might work and update your rule

var result = actions.Exec.executeCommandLine(time.Duration.ofSeconds(3), "sudo","/etc/openhab/scripts/startmm");
console.log(result);

see what that gives you

8

I will try that but I think the problem lies somewhere else.

When I say that running the executable script as user openhab fail, what is really happening is that I get no response and the command does not get executed on the server side, but there is no error.

If I run the script as a regular user, on the server side I get this

Feb 15 17:27:09 pi-mirror sshd[1648]: Accepted password for pi-mirror from 192.168.0.98 port 59584 ssh2
Feb 15 17:27:09 pi-mirror sshd[1648]: pam_unix(sshd:session): session opened for user pi-mirror(uid=1000) by (uid=0)
Feb 15 17:27:09 pi-mirror systemd-logind[422]: New session 5 of user pi-mirror.
Feb 15 17:27:14 pi-mirror sshd[1654]: Received disconnect from 192.168.0.98 port 59584:11: disconnected by user
Feb 15 17:27:14 pi-mirror sshd[1654]: Disconnected from user pi-mirror 192.168.0.98 port 59584
Feb 15 17:27:14 pi-mirror sshd[1648]: pam_unix(sshd:session): session closed for user pi-mirror
Feb 15 17:27:14 pi-mirror systemd-logind[422]: Session 5 logged out. Waiting for processes to exit.
Feb 15 17:27:14 pi-mirror systemd-logind[422]: Removed session 5.

When I run the same script as user openhab I get this on the server

Feb 15 17:30:35 pi-mirror sshd[1698]: Connection closed by 192.168.0.98 port 46540 [preauth]

I don’t know enough about Linux to be able to figure out what this is telling.

I’ll try the SUDOERS.

9

Here is the SUDOERS entry

openhab ALL=NOPASSWD: /etc/openhab/scripts/startmm

Here is the modified rule

var result = actions.Exec.executeCommandLine(time.Duration.ofSeconds(3),"sudo", "/etc/openhab/scripts/startmm");
console.log(result);

No difference in the results. I get no errors but on the server side I only see the connection closing and the script I send to the server to be executed is not executed.

I think openhab is executing the script but for some reason it is seen differently on the server than if a regular user executes it.

10

I found the problem.
The issue was that when openhab initiated the connection the server asked to approve (not sure if this is the correct term) the fingerprint. Adding -o “strictHostKeyChecking=no” to the ssh command solved the issue

So it was not really an openhab problem.

Thanks to everyone

11

No, it doesn’t, but as you already stated, it’s best practice to keep scripts where they belong.

It’s really easy. But to make it 100% correct, there are some steps to do.

  1. log in to openhab shell (as user openhab!)
sudo su - openhab -s /bin/bash
  1. create a directory .ssh and set its permissions to 700
mkdir .ssh
chmod 700 .ssh
  1. create a pair of keys (e.g. with ed25519 elliptic curve). Don’t set a passphrase at all
ssh-keygen -t ed25519 -f .ssh/openhab_ed25519
  1. copy the public key to the remote machine:
ssh-copy-id -i .ssh/openhab_ed25519.pub user@remote-host

ssh-copy-id will ask whether the connection is safe (authenticity can’t be established…) and for the password of the remote host.

  1. check whether connection can be establishhed
ssh user@remote-host -i .ssh/openhab_ed25519
  1. If the connection fails, please check whether the home directory is writable for other users
ls -l .. | grep openhab

The output should be like

drwxr-xr-x 20 openhab   openhab  26 23. Jan 01:41 openhab

and if the bits are wrong, you should change them

chmod 755 ../openhab

If you still get errors, maybe the remote host is not able to use ed25519 (very unlikely, but…)
You can create as many public/private keys as you want, as long as the names are different (obviously). There is no need for a remote user openhab, although the public/private key belongs to openhab. But it’s crucial that openHAB will use the username from step 4 to log in remotely.

1 Like
12

That worked perfectly.

I had followed similar steps before but for the regular user, that is why it was not working when I tried to use paired keys with openhab as the user.

Thank you

13

That should work as well, but openhab (the user) has to be the owner of the keys. The easiest way to achieve this, is to create them with the user openhab, then it’s straight forward… :slight_smile: