executeCommandLine syntax/version?

Hi,
I’m a little confused about the exec command line syntax for v1 or v2. Can you tell me if the code i’m trying to run below is v1 or v2 syntax ? I’m running the latest openhab 2.4.

rule "Reboot Alarm PI remote from OpenHAB"
when 
    Item RebootPI_FromOpenHAB received command
then
    if (receivedCommand == 100) 
    {
        var String results = ""
        results = executeCommandLine("ssh openhabian@192.168.0.82 sudo shutdown -r now", 5000)
        logInfo("OpenHAB Reboot Alarm", "results=" + results)
    }
end 

If I cut and paste the “ssh openhabian@192.168.0.82 sudo shutdown -r now” to the command line it works perfectly. If I try and run it above as an action from a button then the logs show

[me.model.script.OpenHAB Reboot Alarm] - results=Host key verification failed.

if I specify a path for the ssh key

results = executeCommandLine("ssh -i /home/openhabian/.ssh/id_rsa openhabian@192.168.0.82 sudo shutdown -r now", 5000)

I then get the error

[me.model.script.OpenHAB Reboot Alarm] - results=Warning: Identity file /home/openhabian/.ssh/id_rsa not accessible: Permission denied.

I have all the necessary files in place located in .ssh. Are the rules not being executed as openhabian perhaps ?

Cheers,
Karl.

Neither, you are running the executeCommandLine Action. This is independent from the bindings.

Running as what user? From your Rule the ssh is being executed as the user openhab. Have you set up the ssh certificates for the openhab user?

That’s because that’s the user openhabian’s .ssh file, not the user openhab. The user openhab doesn’t have permission to read that file. And if you open up the permissions on that file, ssh will fail because that isn’t allowed. You need to set up the .ssh folder for the openhab user.

Hi,
strong text
Thanks for the reply.

I logged in as openhab using info from another post you commented on.

sudo -u openhab /bin/bash

From here I then ran

ssh-keygen -t rsa -b 4096

when given the option of where to place the generated files I placed them in

/var/lib/openhab2/tmp

I then moved the public id file to the target machine and setup accordingly. Once the files were here I could then do

results = executeCommandLine("ssh -i /var/lib/openhab2/tmp/id_rsa openhab@192.168.0.82 sudo shutdown -r now", 5000)

I couldn’t use the /var/lib/openhab2/.ssh dir structure since, even though its the home for openhab it appears to be managed by root. I used visudo to add openhab as ALL=(ALL) NOPASSWD: ALL but it did not help. I’ve left that entry in the /etc/sudoers.d/010_pi-password file just in case its needed to run the entire command line in my rule. I also added openhab to a few additional groups “sudo” and “adm” to no avail.

Hopefully this “work around” will have no detrimental effects on the server because everything now appears to work as expected.

Regards
Karl.

1 Like

It’s not managed by root. Everything in /var/lib/openhab2 should be owned by the openhab user.

What are you hoping to help with this? It’s a really bad idea really as you have just given the openhab user the ability to run anything as root without a password. You may as well run OH as root.

Don’t just blindly make changes that have such profound security implications. And don’t just try things hoping something sticks when dealing with this sort of thing.

Finally, openhab doesn’t need sudo permission at all to run ssh.

  1. put the ssh keys in /var/lib/openhab2/.ssh where they belong and make sure only the openhab user has permission to read them.

  2. Don’t ssh to 192.168.0.82 as the openhab user. There shouldn’t be an openhab user on this remote machine. If this isn’t a remote machine, then why in the world are you messing with ssh in the first place? It’s like buying a plane ticket to go from your living room to your kitchen. You don’t need to and it’s expensive.

  3. Never give NOPASSWD: ALL permissions to ANY user. You may as well just run everything as root if you do that. Users should be given permissions to the minimum set of commands necessary, especially when a password is not required.

Hi Rich,

Thanks for explaining things. I’m not really familiar with linux coming from a windows background. Sorry about that, got a lot to learn.

Regarding the “root” settings in the /var/lib/openhab2/.ssh, it would appear that they were set when I needed to use sudo to copy the files into this directory because I was logged in as openhabian at the time. I’ve run the following to sort out the ownership. Perhaps you could confirm I’ve used the correct commands. Not sure what the minimal permissions should be using chmod though.

sudo chown openhab /var/lib/openhab2/.ssh/id_rsa
sudo chown openhab /var/lib/openhab2/.ssh/id_rsa.pub
sudo chown :openhab /var/lib/openhab2/.ssh/id_rsa
sudo chown :openhab /var/lib/openhab2/.ssh/id_rsa.pub

I’ve also removed openhab from the sudoers.d file. The executeCommandLine in the rule now looks like this and appears to be working.

results = executeCommandLine("ssh openhab@192.168.0.82 sudo shutdown -r now", 5000)

Regarding point 2 : Sorry, I’m not sure if I’ve made it clear but I’m using my openHAB rasp pi to reboot another PI running an alarm system hence the need for ssh. It would appear that I need the openhab user configured on the remote alarm pi device but I’m not sure what the minimal permissions would be needed. At the moment the sudoers.d file has an entry for openhab ALL=(ALL) NOPASSWD: ALL. If I remove this entry then In the openhab log I get

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
sudo: no tty present and no askpass program specified

Maybe I’m incorrectly making the assumption it needs admin because the command its executing is “sudo shutdown -r now”.

Thanks for your patience.

Regards,
Karl.

This can be fixed with the -t option fo ssh.

Hi there,

Just had a look at ssh help and couldn’t find the “-t” options. Anyway, I tried adding as you suggested so my executeCommandLine looks like

results = executeCommandLine("ssh -t openhab@192.168.0.82 sudo shutdown -r now", 5000)

I removed the following line from the remote servers sudoers.d file

openhab  ALL=(ALL) NOPASSWD: ALL

But it didnt work. The log shows

2019-04-23 22:56:07.459 [INFO ] [me.model.script.OpenHAB Reboot Alarm] - results=Pseudo-terminal will not be allocated because stdin is not a terminal.

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified

So it looks like I still need the permissions in the sudoers.d file on the remote PI to run the “sudo shutdown -r now” command.

Regards.
Karl.

Rich’s point was that you shouldn’t grant a user the ability to do anything it wants, no matter how limited the risk is. I’m inclined to agree.

I wrote a guide for using OH to reboot or shut down an RPi, but it’s for the Pi that OH is on. However, I suspect that the permissions you need on your remote Pi are the same.

# Allow openhab user to execute reboot and poweroff commands
openhab   ALL=(ALL) NOPASSWD: /sbin/reboot, /sbin/poweroff

Note that this won’t solve your “SSH into another Pi” problem, but it might get you a step closer to the overall solution.

Hi Russell,

I’ll take some time out today to look over the link you sent me. Thanks for the info, it looks like a good read.

Cheers,
Karl.

You could have changed the user and group in one command using openhab:openhab but otherwise the costs look correct.

Set up openhab with the ssh keys for the pi user in the other machine and light into that other machine as pi.

ssh pi@192.168.0.82

You may have to give the pi user permission to run shutdown without a password, but don’t give it nopassword for all commands, just the shutdown command.

Otherwise you will need to create an openhab user on the remote machine and give this user the sudoer permissions.

Finally, the first time you run sudo as a user on a machine you will get the “We trust you have…” message that you must acknowledge. Once acknowledged the message never appears again, so once you give the user on the alarm RPi sudo permissions, you should manually log into the machine and run a sudo command so you can acknowledge that warning message.

Hi,
I have everything working now. Thanks for your help, much appreciated.
Cheers,
Karl.

Future readers might benefit from a quick summary of what you finally did to get it to work. I’m glad it’s working!

1 Like

@Karl2 as Rich suggests please provide your working solution as many OH users are not familiar with Linux and any guide that helps to protect others is most welcome.

I have 2 raspberry pi devices -

  • The first one is running the openHAB server and sitemap to control the alarm
  • The second is setup to run my home alarm python application.

Currently, the only way I have of rebooting the alarm is via MQTT. If the broker were to hang on the openHAB server or the alarm application were to become unresponsive then I wouldn’t be able to reboot to clear any issues. To solve this problem I decided it would be a good idea to setup an openHAB rule to issue a remote reboot as an alternative option.

rule "Reboot PI (OpenHAB)"
when 
    Item RebootPI_FromOpenHAB received command
then
    if (receivedCommand == 100) 
    {
        var String results = ""
        results = executeCommandLine("ssh openhab@192.168.0.82 sudo shutdown -r now", 5000)
        logInfo("OpenHAB Reboot Alarm", "results=" + results)
        sendNotification("xxxx@xxx.com", "OpenHAB Re-boot request has been sent !")  
    }
end 

The info provided from this point on is what I’ve understood from the advice given by the other posters in this thread. What I have implimented has worked but perhaps Rich could do a sanity check on the text that follows just to make sure Im not misleading anyone here :slight_smile: I’ve had to document this processs after the event but I’m confident that the steps below will achieve the desired result.

As pointed out to me, Its worth noting that “executeCommandLine” uses the openhab account ( not openhabian ) to run its payload.

DO THIS FROM THE OPENHAB SERVER

The step that follows may or may not be necessary but I did it anyway. I added openhab to the sudo group. You can ommit this step and see what results you get once you have finished the rest of the steps below. If you have an issue then come back here and do this step.

sudo usermod -a -G sudo openhab

Now we need to login as the openhab account. Since the password is not exposed you can use the following command below. NOTE : I’ve read somewhere that the password is “habopen” but I’ve had no luck logging on as openhab with this password.

sudo -u openhab /bin/bash

Now you can run

ssh-keygen -t rsa -b 4096

when prompted, use the path below to store the keys. If the .ssh directory does not already exist you will have to create it.

/var/lib/openhab2/.ssh

Its worth pointing out that “/var/lib/openhab2” is the home drive path for the openhab account. For all other accounts you would normally expect to see the home drive located in “/home”

DO THIS ON THE REMOTE SERVER

We now need to ensure that there is a matching openhab account residing on the remote device. After creating this user I then made changes to the sudoers.d file to ensure it could perform the command “shutdown -r now”.

sudo visudo -f /etc/sudoers.d/010_pi-nopasswd

I then added the entry

openhab ALL=(ALL) NOPASSWD: /sbin/shutdown

The next step is to create an “.ssh” directory in the openhab home directory. We will then need to copy in the file “/var/lib/openhab2/.ssh/id_rsa.pub” from the openHAB server.

Login as the openhab user you have just created

su openhab

when prompted, enter the password you gave the account and then enter

cd

This will ensure you are taken to your home directory. From here you will enter

mkdir .ssh

All we need to do now is copy in the public key file that we created from the openHAB server.

DO THIS FROM THE OPENHAB SERVER

Ensure you are logged on with

sudo -u openhab /bin/bash

then run the following substituting xxx.xxx.xxx.xxx for your remote server ip address.

scp /var/lib/openhab2/.ssh/id_rsa.pub openhab@xxx.xxx.xxx.xxx:/home/openhab/.ssh/key_upload.pub

Enter your openhab password on the remote machine when prompted.

DO THIS ON THE REMOTE SERVER

Ensuring you are still logged in as openhab, do the following -

cd /home/openhab/.ssh
cat key_upload.pub >> authorized_keys

At this point you should be all done.

Hopefully this will help point someone in the right direction if they are trying to do a similar task.

Cheers
Karl.

2 Likes

Thanks Karl.

I’ve bookmarked your post, for quick access, to direct others with similar issues/questions here. Saves a lot of retyping.:grinning:

You could also take the last post, change the title, and add it to the Tutorial category.:wink: