How to restart binding with in rules?

Oh boy. You are pretty thoroughly hosed. Not impossibly hosed but your system is in dire straights. Messing up sudoers on a no-longinable-root account system is probably second only to rm -rf / and tied with sudo chmod -R a-x / in single commands that can almost completely disable a system.

In the future and all you future readers of this thread:

ONLY EDIT sudoers USING visudo!

I speak from experience.

You need to boot into some other OS, mount the file system from your server, and re-edit sudoers to make it valid. I have no idea what could be wrong with it. It might just be the file permissions (it should be read/write for root only and no permissions for everyone else).

Since you are running openhabian, you might be able to do this easily if you have a Linux machine or VM that you can mount the SD card to. You can then use visudo -f /path/to/sdcard/sudoers/file. If you have a spare card and USB SD card reader, you might be able to put a stock raspbian on a new SD card and mount the old SD card from the USB reader.

If not, you need to decide if it is going to be more work to set up an environment where you can mount the SD card’s file system or just rebuild the OS from scratch. Of course, if you have files you need off of that SD card, you will have to do this anyway if you don’t have recent backups.

I had an Ubuntu server that I messed up sudoers on and had to boot into a live CD, chroot, and then edit using visudo in order to get my system back. Hopefully, you will have an easier time of it.

BUT, you are on the right track in solving your original problem. :wink:

1 Like

I think I got it done almost.
However, when I call:

sudo -u openhab ssh -p 8101 -i /home/openhab/karaf_keys/openhab.id_dsa openhab@localhost

I always get the request for entering the passphrase.
How to get rid of this?

Did you configure karaf to use the cert by adding the public key to keys.properties?

Also, I notice you are using dsa. In another thread some users have discovered that karaf doesn’t like dsa and prefers rsa certs.

Thanks, Rich

I did the same stuff again with rsa:

sudo -u openhab ssh-keygen -t rsa -f openhab.id_rsa -N openhab

and have put the result from openhab.id_rsa.pub into /srv/openhab2-userdata/etc/keys.properties:

openhab=AAAAB3....xyz,_g_:admingroup

sudo -u openhab ssh -p 8101 -i /home/openhab/karaf_keys/openhab.id_rsa openhab@localhost

It does not ask for the password anymore, but for the passphrase (specified by -N above).
How to get rid of this?

Two questions:

  1. Will this be different, when running the command from OH’s rules (I am the real “openhab” user)?
  2. Is this related to the location of the key files? Means, do I need to put them into a specific folder?

EDIT:
Answer to 1 is NO:

2017-11-30 08:40:33.755 [INFO ] [.smarthome.model.script.system.rules] - Karaf_output: Password authentication^M
Password authentication^M
Password authentication^M
Permission denied, please try again.^M
Permission denied, please try again.^M
Permission denied (keyboard-interactive,password,publickey).

EDIT II:
If I generate the key without a passphrase, it seems to be working in the console:
sudo -u openhab ssh-keygen -t rsa -f openhab.id_rsa
(just confirm with enter if passphrase is requested)
entering karaf without password works:
sudo -u openhab ssh -p 8101 -i /home/openhab/karaf_keys/openhab.id_rsa openhab@localhost
Next I will test it from the rule

When you created the keys, did you supply a password? If I understand what you’ve done so far, if you applied a password to your private key then you will have to enter that password every time you need to authenticate against your public key (i.e. when you log in via ssh), which you discovered in your EDIT II.

Glad you got it to work. I am pretty sure it should work from a rule as well now.

It does work on the console with:
ssh -p 8101 -i /home/openhab/karaf_keys/openhab.id_rsa openhab@localhost 'bundle:restart org.openhab.binding.netatmo'

I hope it will do so from OH2 as well


Thanks for your help

Sorry, I did not answer your question.

Yes, previously I provided a passphrase with -N, but after I did it again without it, I was able to run it from bash.

However, it does not run from within OH - and it does not provide any response (same like running it from bash).
I guess I need to go to DEBUG level for all Karaf relevant packages


EDIT:
I tried this as well - no change:
executeCommandLine("ssh@@-p@@8101@@-i@@/home/openhab/karaf_keys/openhab.id_rsa@@openhab@localhost@@'bundle:restart org.openhab.binding.netatmo'", 6000)

Are you catching and logging the output?

val results = executeCommandLine(...
logInfo("testing", results)

What do you see if you run:

sudo -u openhab ssh -p 8101 -i /home/openhab/karaf_keys/openhab.id_rsa openhab@localhost 'bundle:restart org.openhab.binding.netatmo'

That’s actually the problem - The command is executed and restarts the binding, but does not give any feedback:

[07:21:58] openhabian@Homer:~$ sudo -u openhab ssh -p 8101 -i /home/openhab/karaf_keys/openhab.id_rsa openhab@localhost 'bundle:restart org.openhab.binding.netatmo'
[07:22:17] openhabian@Homer:~$

I also set some karaf related bindings to DEBUG, but this does not show any DEBUG entry in openhab.log:
57 | Active | 80 | 4.0.8 | Apache Karaf :: Wrapper :: Core
110 | Active | 80 | 0.9.0.b5 | Eclipse SmartHome Console for OSGi runtime Karaf
167 | Active | 80 | 2.1.0 | openHAB Karaf Integration

EDIT:
Obviously there is a difference if I switch “really” to openhab user and run from there:
sudo su (to switch to root)
su openhab
this time I ran:
ssh -p 8101 -i /home/openhab/karaf_keys/openhab.id_rsa openhab@localhost

and confirmed:
Warning: Permanently added ‘[localhost]:8101’ (RSA) to the list of known hosts.

However, it did not change something (from rule it’s still not doing anything)

I don’t really have anything else to offer in teens of help. My experience with exec binding and executeCommandLine one guess so far.

Does it work if you put the commands into a script and executed the script?

Thanks anyway - your help is greatly appreciated.
I guess you are the one with (by far) the most responses to any kind of problems.

So again - thanks for your patience and endurance :slight_smile:

You have been right:
It does NOT work with:
executeCommandLine("/usr/bin/ssh -p 8101 -i /home/openhab/karaf_keys/openhab.id_rsa openhab@localhost 'bundle:restart org.openhab.binding.netatmo'", 6000)

but it DOES with the same stuff in a script:
executeCommandLine("/etc/openhab2/scripts/restartNetatmo.sh", 7000)

Now I remember, that I struggled a lot with the same inconsistant behavious, when I started with OH.
I am wondering, why this general issue is still present


Because it is exceptionally difficult to execute command line scripts from Java and have it behave consistently across all operating systems and platforms.

1 Like

I have permission issues:
Execution failed (Exit value: -559038737. Caused by java.io.IOException: Cannot run program “/etc/openhab2/scripts/renewFritzBoxWANIP.sh” (in directory “.”): error=13, Permission denied)

any idea?

Works with:

executeCommandLine(“bash /etc/openhab2/scripts/renewFritzBoxWANIP.sh”, 7000)

Hi


So I must embarrassingly admit that I am I the same situation almost. I an attempt to get a backup script to run without a password I messed with the sudoers file a have now removed my user openhabian from the sudoers
so now I cannot even run the backup command (even though I have a completely fresh backup).
I am work on a Mac, and have inserted the SD card like you say above, but how do I find the specific path to the sd card sudoers file in terminal? 
thanks in advance form a desperate man.,
:slight_smile:

I don’t use Mac so I’ve no idea how to mount the SD card or where it appears when mounted.

@rlkoshak Rich, not quite clear on this.

I did

ssh-keygen -t dsa -f karaf.id_dsa -N karaf

but I am not clear on this step


You can copy in the content of the karaf.id_dsa.pub file in the etc/keys.properties:

Does that mean I should open keys.properties and cut and paste the contents of the kara.id_dsa.pub file into it?

Yes. It has been ages since I’ve done this but I think the comments in the file that tell you what you need to do.

I think you need to add a line that has openHAB=<paste your public key here>,<copy the roles from the karaf line>

I don’t currently have this set up so I’m going from memory here.

I still don’t fully get what needs to be done, as there’s already an entry for the openhab user in /var/lib/openhab2/etc/users.properties (it’s surrounded by {CRYPT} tags):

openhab = {CRYPT}xxxxxxxx{CRYPT},_g_:admingroup

Do I have to replace the current line for the openhab user with a line containing the public key (and the group) from karaf.id_rsa.pub generated according to the Karaf instructions? As in:

#openhab = {CRYPT}xxxxxxxx{CRYPT},_g_:admingroup
openhab = (CONTENT_OF_ karaf.id_rsa.pub_GOES_HERE),_g_:admingroup

where (CONTENT_OF_ karaf.id_rsa.pub_GOES_HERE) is replaced with the content of karaf.id_rsa.pub.

Is there something else needed, e.g. setting an entry in ~/.ssh/authorized_keys for the openhabian user?

It’s been years since I’ve done this. But I believe you need to add an entry to keys.properties, not users.properties. At least that is where I added my key.

authorized_keys controls what certificates are allowed to log into your host operating system’s account. By adding your key to keys.properties, you are essentially editing the equivalent of authorized_keys for the Karaf Console.

When copying your key over from the .pub file, make sure to only copy the key part (the random string). Omit the ssh-rsa at the beginning and anything after it.