executeCommandLine : ssh/account/permissions setup for remote reboot action

Karl2 · April 26, 2019, 1:56pm

I have 2 raspberry pi devices -

The first one is running the openHAB server and sitemap to control the alarm
The second is setup to run my home alarm python application.

Currently, the only way I have of rebooting the alarm is via MQTT. If the broker were to hang on the openHAB server or the alarm application were to become unresponsive then I wouldn’t be able to reboot to clear any issues. To solve this problem I decided it would be a good idea to setup an openHAB rule to issue a remote reboot as an alternative option.

rule "Reboot PI (OpenHAB)"
when 
    Item RebootPI_FromOpenHAB received command
then
    if (receivedCommand == 100) 
    {
        var String results = ""
        results = executeCommandLine("ssh openhab@192.168.0.82 sudo shutdown -r now", 5000)
        logInfo("OpenHAB Reboot Alarm", "results=" + results)
        sendNotification("xxxx@xxx.com", "OpenHAB Re-boot request has been sent !")  
    }
end

The info provided from this point on is what I’ve understood from the advice given by the other posters in this thread. What I have implimented has worked but perhaps Rich could do a sanity check on the text that follows just to make sure Im not misleading anyone here I’ve had to document this processs after the event but I’m confident that the steps below will achieve the desired result.

As pointed out to me, Its worth noting that “executeCommandLine” uses the openhab account ( not openhabian ) to run its payload.

DO THIS FROM THE OPENHAB SERVER

The step that follows may or may not be necessary but I did it anyway. I added openhab to the sudo group. You can ommit this step and see what results you get once you have finished the rest of the steps below. If you have an issue then come back here and do this step.

sudo usermod -a -G sudo openhab

Now we need to login as the openhab account. Since the password is not exposed you can use the following command below. NOTE : I’ve read somewhere that the password is “habopen” but I’ve had no luck logging on as openhab with this password.

sudo -u openhab /bin/bash

Now you can run

ssh-keygen -t rsa -b 4096

when prompted, use the path below to store the keys. If the .ssh directory does not already exist you will have to create it.

/var/lib/openhab2/.ssh

Its worth pointing out that “/var/lib/openhab2” is the home drive path for the openhab account. For all other accounts you would normally expect to see the home drive located in “/home”

DO THIS ON THE REMOTE SERVER

We now need to ensure that there is a matching openhab account residing on the remote device. After creating this user I then made changes to the sudoers.d file to ensure it could perform the command “shutdown -r now”.

sudo visudo -f /etc/sudoers.d/010_pi-nopasswd

I then added the entry

openhab ALL=(ALL) NOPASSWD: /sbin/shutdown

The next step is to create an “.ssh” directory in the openhab home directory. We will then need to copy in the file “/var/lib/openhab2/.ssh/id_rsa.pub” from the openHAB server.

Login as the openhab user you have just created

su openhab

when prompted, enter the password you gave the account and then enter

cd

This will ensure you are taken to your home directory. From here you will enter

mkdir .ssh

All we need to do now is copy in the public key file that we created from the openHAB server.

DO THIS FROM THE OPENHAB SERVER

Ensure you are logged on with

sudo -u openhab /bin/bash

then run the following substituting xxx.xxx.xxx.xxx for your remote server ip address.

scp /var/lib/openhab2/.ssh/id_rsa.pub openhab@xxx.xxx.xxx.xxx:/home/openhab/.ssh/key_upload.pub

Enter your openhab password on the remote machine when prompted.

DO THIS ON THE REMOTE SERVER

Ensuring you are still logged in as openhab , do the following -

cd /home/openhab/.ssh
cat key_upload.pub >> authorized_keys

At this point you should be all done.

Hopefully this will help point someone in the right direction if they are trying to do a similar task.

Cheers
Karl.

Karl1 · May 5, 2019, 4:56pm

Dear Karl2

Congratulation great tutorial. Helps me a lot to understand the task in detail. Have read a lot of post but after your post it was a lot clearer to me how this remote shutdown work and what preparation tasks are really necessary.

Have similar configuration with 2 raspies.( openhab Server and remote raspi with Hostname Badmax2play)
Did all the steps as explained and can now remote reboot the remote Badmax2play from the raspi where openhab runs with putty ( no password necessary ) Following command with putty works great

´´´ssh openhab@IP-adress sudo reboot

Only the first part i don´t do (add user openhab to the sudo group). You wrote maybe it works without this
Now when i try it with the rule and the “execute command” remote Raspi did not reboot.

The log look like:

Is there a possibility not to give openhab the “full” sudo rights on the openhab server machine. On the remote machine i limited the right of the openhab user to the commands reboot and shutdown.

Sorry for the maybe silly question but i´m a Linux newcomer and would limit the rights of the users as much as possible due to security reasons. And adding user openhab to sudo group give this user as i interpreted at the moment the full root rights ???
Is this correct ???

Greetings
Karl

Karl1 · May 5, 2019, 5:46pm

Sorry found a failure in my rule. The following version works without adding the user openhab on the openHAB2server raspi to the sudo group.

rule "Reboot Max2play_Bad"
when
    Item Max2play_Bad_reboot received command "Reboot"
then
    var String results = ""
    results = executeCommandLine("ssh openhab@192.168.1.40 sudo reboot", 5000)
    logInfo("OpenHAB Reboot Alarm", "results=" + results)
end

You could see it in the logs:

But nevertheless my question stays; is it possible to add user openhab to sudo group with limited rights???
is something like this possible ?

Karl

Karl2 · May 6, 2019, 3:13pm

After googling, I’ve taken this from stackexchange website…

sudo group members can execute any command (If the goal is to have a lower privileged user, I would not suggest adding your new user to this group. Instead I would add a per command or usename based rule to the sudoers file).

In general you can use google to discover the purpose of a group, by doing something like this: google search, oviously changing the name of the group.

I would suggest that you create you new user without adding them to any additional groups (like the pi group they will be a member of the group with the same name as their username). And as you find things the new user can not do add the user to specific groups. This is in keeping with the concept of least privileges.

alexxio · May 7, 2019, 8:49am

Yes it’s possible.
Don’t put openhab in any group at all and just edit the /etc/sudoers file addings this lines:

# Create an alias for the openhab user
User_Alias OPENHAB_USER = openhab

# Create an alias for all the command you whish to sudo without password
Cmnd_Alias OPENHAB_COMMANDS = /sbin/reboot

# Allow the above user alias to execute the above command alias with no password
OPENHAB_USER ALL= (ALL) NOPASSWD: OPENHAB_COMMANDS

This way you only give the openhab user only some specific command to sudo without password, without opening it system wide.

Hope it helps.
A.

ps. the OPENHABS_COMMANDS alias can be a list of comma separated binaries.

Karl1 · May 13, 2019, 6:20pm

Great

That´s exact what i´m searching for.
So user openhab gets on a very granular level only the right he need for the specific task. Perfekt

anonymous.one · May 17, 2019, 3:22am

Huge kudos for taking the time to write this up @Karl2, I am working on methods to sleep/hibernate systems at my house when no one is home…was starting to lose my mind as it wasn’t occurring to me that openhab is the ID required for the passwordless ssh connection.

Now to just find a way to suspend VMs within ESX (free version), I suspect remote SSH commands are going to bomb; may have to do it dirty and script out something in AutoIT and click through things on the vSphere client.

Arpagor · October 6, 2020, 1:20pm

Followed the instructions to the letter but Permission denied error (publickey, password). !!!

After having tested a lot of changes in the sshd_config which did not solve the problem and even it was worse for some!
I finally came across a post that gave me the solution !!!
I put it for those who have encountered the same error.

first the sshd_config file on the server on which we want to execute scripts remotely by ssh
validated lines:

PubkeyAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server

and now the most important because otherwise the error persists:

modify the attributes for the .ssh directory

0700 openhab:openhab for /.ssh

Modify the attributes for the files in the .ssh directory

0644 openhab:openhab for /.ssh/authorized_keys
0644 openhab:openhab for /.ssh/known_hosts
0600 openhab:openhab for /.ssh/id_rsa

restart ssh and sshd:

systemctl restart ssh
systemctl restart sshd

And there normally everything is fine !!!

Arpagor · October 6, 2020, 1:28pm

Other information that I had trouble finding: syntax for running a script with arguments under ssh:

Here is hoping that it will save some time!