Oh boy. You are pretty thoroughly hosed. Not impossibly hosed but your system is in dire straights. Messing up sudoers on a no-longinable-root account system is probably second only to rm -rf / and tied with sudo chmod -R a-x / in single commands that can almost completely disable a system.
In the future and all you future readers of this thread:
ONLY EDIT sudoers USING visudo!
I speak from experience.
You need to boot into some other OS, mount the file system from your server, and re-edit sudoers to make it valid. I have no idea what could be wrong with it. It might just be the file permissions (it should be read/write for root only and no permissions for everyone else).
Since you are running openhabian, you might be able to do this easily if you have a Linux machine or VM that you can mount the SD card to. You can then use visudo -f /path/to/sdcard/sudoers/file. If you have a spare card and USB SD card reader, you might be able to put a stock raspbian on a new SD card and mount the old SD card from the USB reader.
If not, you need to decide if it is going to be more work to set up an environment where you can mount the SD cardâs file system or just rebuild the OS from scratch. Of course, if you have files you need off of that SD card, you will have to do this anyway if you donât have recent backups.
I had an Ubuntu server that I messed up sudoers on and had to boot into a live CD, chroot, and then edit using visudo in order to get my system back. Hopefully, you will have an easier time of it.
BUT, you are on the right track in solving your original problem.
EDIT II:
If I generate the key without a passphrase, it seems to be working in the console: sudo -u openhab ssh-keygen -t rsa -f openhab.id_rsa
(just confirm with enter if passphrase is requested)
entering karaf without password works: sudo -u openhab ssh -p 8101 -i /home/openhab/karaf_keys/openhab.id_rsa openhab@localhost
Next I will test it from the rule
When you created the keys, did you supply a password? If I understand what youâve done so far, if you applied a password to your private key then you will have to enter that password every time you need to authenticate against your public key (i.e. when you log in via ssh), which you discovered in your EDIT II.
Glad you got it to work. I am pretty sure it should work from a rule as well now.
It does work on the console with: ssh -p 8101 -i /home/openhab/karaf_keys/openhab.id_rsa openhab@localhost 'bundle:restart org.openhab.binding.netatmo'
Yes, previously I provided a passphrase with -N, but after I did it again without it, I was able to run it from bash.
However, it does not run from within OH - and it does not provide any response (same like running it from bash).
I guess I need to go to DEBUG level for all Karaf relevant packagesâŠ
EDIT:
I tried this as well - no change: executeCommandLine("ssh@@-p@@8101@@-i@@/home/openhab/karaf_keys/openhab.id_rsa@@openhab@localhost@@'bundle:restart org.openhab.binding.netatmo'", 6000)
I also set some karaf related bindings to DEBUG, but this does not show any DEBUG entry in openhab.log:
57 | Active | 80 | 4.0.8 | Apache Karaf :: Wrapper :: Core
110 | Active | 80 | 0.9.0.b5 | Eclipse SmartHome Console for OSGi runtime Karaf
167 | Active | 80 | 2.1.0 | openHAB Karaf Integration
EDIT:
Obviously there is a difference if I switch âreallyâ to openhab user and run from there:
sudo su (to switch to root)
su openhab
this time I ran:
ssh -p 8101 -i /home/openhab/karaf_keys/openhab.id_rsa openhab@localhost
and confirmed:
Warning: Permanently added â[localhost]:8101â (RSA) to the list of known hosts.
However, it did not change something (from rule itâs still not doing anything)
Thanks anyway - your help is greatly appreciated.
I guess you are the one with (by far) the most responses to any kind of problems.
So again - thanks for your patience and endurance
You have been right:
It does NOT work with: executeCommandLine("/usr/bin/ssh -p 8101 -i /home/openhab/karaf_keys/openhab.id_rsa openhab@localhost 'bundle:restart org.openhab.binding.netatmo'", 6000)
but it DOES with the same stuff in a script: executeCommandLine("/etc/openhab2/scripts/restartNetatmo.sh", 7000)
Now I remember, that I struggled a lot with the same inconsistant behavious, when I started with OH.
I am wondering, why this general issue is still presentâŠ
Because it is exceptionally difficult to execute command line scripts from Java and have it behave consistently across all operating systems and platforms.
I have permission issues:
Execution failed (Exit value: -559038737. Caused by java.io.IOException: Cannot run program â/etc/openhab2/scripts/renewFritzBoxWANIP.shâ (in directory â.â): error=13, Permission denied)
So I must embarrassingly admit that I am I the same situation almost. I an attempt to get a backup script to run without a password I messed with the sudoers file a have now removed my user openhabian from the sudoersâŠso now I cannot even run the backup command (even though I have a completely fresh backup).
I am work on a Mac, and have inserted the SD card like you say above, but how do I find the specific path to the sd card sudoers file in terminal? âŠthanks in advance form a desperate man.,âŠ
I still donât fully get what needs to be done, as thereâs already an entry for the openhab user in /var/lib/openhab2/etc/users.properties (itâs surrounded by {CRYPT} tags):
openhab = {CRYPT}xxxxxxxx{CRYPT},_g_:admingroup
Do I have to replace the current line for the openhab user with a line containing the public key (and the group) from karaf.id_rsa.pub generated according to the Karaf instructions? As in:
Itâs been years since Iâve done this. But I believe you need to add an entry to keys.properties, not users.properties. At least that is where I added my key.
authorized_keys controls what certificates are allowed to log into your host operating systemâs account. By adding your key to keys.properties, you are essentially editing the equivalent of authorized_keys for the Karaf Console.
When copying your key over from the .pub file, make sure to only copy the key part (the random string). Omit the ssh-rsa at the beginning and anything after it.