How to SSH one word to QNAP NAS

I would like to send a commandline from a rule to SSH into my QNAP NAS to execute the command “poweroff” So far this has proven impossible. Has anyone achieved this simply? I’ve found many ways online that don’t work but none that do!

Are you able to do that via ssh on the command line? That would be the first step.

 putty -ssh -l username -pw password -m /home/pi/scripts/poweroff.txt

works from a Linux command window when logged in as user pi whereas openhab runs as user openhab. It also doesn’t work from a script, and it exposes the password in the command line. As its never worked I’m open to any way of achieving this

it’s really simple :wink: but there are some things you’ll need to do first…

  • create a user xyz at QNAP NAS which is allowed to start the poweroff command. (xyz → whatever you would like to name it)
  • create a pair of keys for secure login. Ensure not to set a password for the private key
  • ssh-copy-id the public key to the qnap as user xyz
  • create a .ssh directory in the home directory of openhab user (this is the one which runs openHAB)
  • copy the private key to the .ssh directory, use id_rsa as file name. Ensure that id_rsa as well as .ssh/ are owned by the user openhab and permission is 700 for both directory and private key
  • setup the command as follows:
/usr/bin/ssh xyz@ /home/pi/scripts/poweroff.txt

There are several threads here on how to send commands secured via ssh by using key login.

Perhaps not as simple for me sadly. Any chance you can dumb this down to Linux Security newbie level please?

According to what I’ve read online only the admin user can do this on a QNAP? Certainly a user with admin permission couldn’t login using SSH, but the original admin user could once enabled.

err, how do I do this? I know nothing about Keys and haven’t needed to login to QNAP using SSH until now so I have no idea what’s allowed in there and how easily it is to break it

ssh-keygen -b 4096 -C "$(whoami)@$(uname -n)-$(date -I)" and hit return for each of the questions. The keys are generated for the user under which you issue the command and you’ll find them at ~/.ssh/id_rsa (that’s the private one, keep it well hidden) and the public key.

You might create a user and grant permissions to that by sudo and settings in the sudoers file. Google for details.

As I did not write a tutorial in english yet :slight_smile: Let’s try…

  1. login to QNAP as an administrator, create a user through QNAP UI (let’s name it openhab, seems legit) which is able to login to the QNAP shell.
  2. login to your openHAB server. Is it a Raspberry Pi with openHABian? Then use the openhabian user.
  3. login as user openhab (will be much less work…) by using this command:
    sudo su - openhab -s /bin/bash
  4. create the needed directory:
    mkdir .ssh
  5. make it only accessible for user openhab:
    chmod 700 .ssh
    check that all worked: ls -la the list should contain the directory .ssh with permissions dxrw------
  6. create a pair of keys: (see rubens’ command)
    ssh-keygen -b 4096 -C "$(whoami)@$(uname -n)-$(date -I)" and don’t set a password!
  7. check if both id_rsa and were created:
    ls -l .ssh
  8. copy the public key to QNAP by using this command:
    ssh-copy-id where would be the ip address of your QNAP. You have to use the password of the newly created user openhab on your QNAP (the last time…)
    If all went as planned, ssh-copy-id will report that one id was successfully copied to the remote computer.
  9. check whether you can login:
    ssh (yap, that should do, as current user is openhab and the private key is stored in the correct directory)
  10. logout from QNAP, logout as user openhab, logout as user openhabian.

Next thing is, to give QNAP user openhab permission to use the poweroff command. The “correct” way to do it is via sudoers file:

  1. ssh to QNAP, using the administrator user
  2. try command visudo which should give you an editor and the sudoers file. DON’T use simply an editor on this file, as you may lock out if you mess something up. visudo will check before saving and complain if something is wrong.
  3. insert a new line, right under a similar line for user root:
    openhab ALL (ALL) NOPASSWD /sbin/poweroff
    Maybe poweroff is named different or is placed in another directory. check before…
    This line will grant the user openhab to use the command /sbin/poweroff with sudo without using a password.

Now, create an exec thing with the command or define a rule to use executeCommandLine()
Use /usr/bin/ssh sudo poweroff as commandline, e.g.within a rule:

1 Like

Thank you very much for the tutorial, I will give it a try and let you know how it goes. Unfortunately I’ve just developed a recurrence of a medical problem that may result in a trip to hospital so there may be a delay before I can test.

It won’t hurt to create the directory and set the permissions manually but in my experience it is not necessary as ssh-keygen does all that on it’s own. Or am I missing something?

Haven’t used executeCommandLine() for a while but it used to be required to whitelist commands in /etc/openhab/misc/exec.whitelist

executeCommandLine does not require it. The whitelist is required for exec binding which is a different one.

I stand corrected

I had sometimes a problem without creating the directory manually.
But maybe it was about manually copying a public key to ~/.ssh/authorized_keys… :slight_smile: