Host key verification failed on executing command from rules

openHabian/openHab 3.4.5
RPi 3 B+
JSR223/Nashorn

I have a function in my rules that restarts bindings for various purposes:

function RestartBinding(sBindingID)
{
  var Exec = Java.type("org.openhab.core.model.script.actions.Exec");
  var Duration = Java.type("java.time.Duration");
  // @ts-ignore
  var response = Exec.executeCommandLine(Duration.ofSeconds(6), "sudo", "/usr/bin/ssh", "-p", "8101", "-i", "/var/lib/openhab/.ssh/openhab.id_rsa", "openhab@localhost", "bundle:restart", sBindingID);

  logInfo("RestartBinding: response: " + response);
}

It requires that a command can be executed (ssh) without entering a password. I’ve followed the usual steps and it’s working fine on my old setup (OH 3.3.0). However, on my new setup, built with the latest openHabian and updated to OH 3.4.5 (as a stepping stone to upgrading to OH4), the command is not working. When it’s executed from the rules, it returns the error “Host key verification failed.”. However, if I execute it from the command line, as follows:

sudo -u openhab /usr/bin/ssh -p 8101 -i /var/lib/openhab/.ssh/openhab.id_rsa openhab@localhost bundle:restart org.jupnp

no error is returned and it works as intended.

Steps I’ve followed on the new setup:

  • Generate a public/private key pair with ssh-keygen in karaf_keys.
  • Copy the key to /var/lib/openhab/etc/keys.properties with the format openhab=[publickey],_g_:admingroup
  • Delete the known_hosts file so that I don’t get the “WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!” message.
  • Give the openhab user ownership of /var/lib/openhab/.ssh and given the owner read/write/exec permissions.
  • Copy the private key to /var/lib/openhab/.ssh
  • Set permissions 700 on /var/lib/openhab/.ssh/openhab.id_rsa
  • Add the following line to sudoers:
    openhab ALL= NOPASSWD: /bin/rm, /bin/chmod, /bin/chown, /usr/bin/amixer, /usr/bin/l2ping, /usr/bin/ssh, /sbin/reboot, /sbin/shutdown, /bin/systemctl

I feel like I’ve read and re-read every post on this, and I’ve followed the steps multiple times, and yet something escapes me.
Any idea what I’m missing on 3.4.5 versus 3.3.0?

why do you need sudo here? Wouldn’t it work without it? Furthermore, without sudo, you could probably specify a relative path to the id_rsa file.

Just guessing here, that when you use sudo, ssh will check the root’s host key file because it’s running as root

I could try removing it. But, I have to point out, the command works fine on 3.3.0. I’ll give it a go.

You were right. Removing sudo makes it work. Many thanks!

Now I’m curious to know how it works on 3.3.0.

Something might have changed in root’s host keys but perhaps you weren’t paying attention to it, and instead focusing on openhab’s host keys.

Do you really need rm, chmod, chown, and ssh there? This essentially gives the openhab user a root level access to your entire system.

I suspect I copied that from an example way back and indeed I don’t need chmod, chown, amixer, or l2ping. I obviously do need ssh.

What do you need ssh for? It runs just fine without root privileges.

Instead of allowing rm, write a script that does your deletion and allow that in sudoers.

I was very much under the impression, from reading different threads on restarting bundles from commands, that you did need root privileges, but again you’re right. It works just fine without them.

You need root permissions to restart OS level daemons for sure.

But the users that exist in the karaf console (which is what you are accessing when you ssh to port 8101 on an openHAB machine) are completely separate from the operating system. Indeed the user you use to log into the karaf console needs administration permissions, but those permissions are granted in $OH_USERDATA/etc/users.properties by adding the login user to the admin group.

In short, ssh’ing to the Karaf console is like ssh’ing to a whole other machine. And each machine (unless you’ve set something up like LDAP) manages it’s users independnetly.

It’s unfortunately confusing that there is an openhab user on the OS under which OH runs and the karaf console has a completely separate user also named openhab. But these are indeed separate users.

So the login user is in the admin group by default, and therefore it has permission to restart the bundle without further ado?

Unless you’ve changed it for some reason, the openhab user for karaf should be a member of group,admin,manager,viewer,systembundles. This will give that user permission to do everything including restarting bundles. You can verify this by looking in $OH_USERDATA/etc/users.properties.

1 Like