I have a function in my rules that restarts bindings for various purposes:
function RestartBinding(sBindingID)
{
var Exec = Java.type("org.openhab.core.model.script.actions.Exec");
var Duration = Java.type("java.time.Duration");
// @ts-ignore
var response = Exec.executeCommandLine(Duration.ofSeconds(6), "sudo", "/usr/bin/ssh", "-p", "8101", "-i", "/var/lib/openhab/.ssh/openhab.id_rsa", "openhab@localhost", "bundle:restart", sBindingID);
logInfo("RestartBinding: response: " + response);
}
It requires that a command can be executed (ssh) without entering a password. I’ve followed the usual steps and it’s working fine on my old setup (OH 3.3.0). However, on my new setup, built with the latest openHabian and updated to OH 3.4.5 (as a stepping stone to upgrading to OH4), the command is not working. When it’s executed from the rules, it returns the error “Host key verification failed.”. However, if I execute it from the command line, as follows:
Generate a public/private key pair with ssh-keygen in karaf_keys.
Copy the key to /var/lib/openhab/etc/keys.properties with the format openhab=[publickey],_g_:admingroup
Delete the known_hosts file so that I don’t get the “WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!” message.
Give the openhab user ownership of /var/lib/openhab/.ssh and given the owner read/write/exec permissions.
Copy the private key to /var/lib/openhab/.ssh
Set permissions 700 on /var/lib/openhab/.ssh/openhab.id_rsa
Add the following line to sudoers: openhab ALL= NOPASSWD: /bin/rm, /bin/chmod, /bin/chown, /usr/bin/amixer, /usr/bin/l2ping, /usr/bin/ssh, /sbin/reboot, /sbin/shutdown, /bin/systemctl
I feel like I’ve read and re-read every post on this, and I’ve followed the steps multiple times, and yet something escapes me.
Any idea what I’m missing on 3.4.5 versus 3.3.0?
I was very much under the impression, from reading different threads on restarting bundles from commands, that you did need root privileges, but again you’re right. It works just fine without them.
You need root permissions to restart OS level daemons for sure.
But the users that exist in the karaf console (which is what you are accessing when you ssh to port 8101 on an openHAB machine) are completely separate from the operating system. Indeed the user you use to log into the karaf console needs administration permissions, but those permissions are granted in $OH_USERDATA/etc/users.properties by adding the login user to the admin group.
In short, ssh’ing to the Karaf console is like ssh’ing to a whole other machine. And each machine (unless you’ve set something up like LDAP) manages it’s users independnetly.
It’s unfortunately confusing that there is an openhab user on the OS under which OH runs and the karaf console has a completely separate user also named openhab. But these are indeed separate users.
Unless you’ve changed it for some reason, the openhab user for karaf should be a member of group,admin,manager,viewer,systembundles. This will give that user permission to do everything including restarting bundles. You can verify this by looking in $OH_USERDATA/etc/users.properties.