Need key-based authentication to access another server

Charley · January 31, 2020, 8:15am

Platform information: Raspberry 4
- Hardware: CPUArchitecture/RAM/storage 4GB
- OS: what OS is used and which version Openhabian
- Java Runtime Environment: which java platform is used and what version
- openHAB version:
Issue of the topic: please be detailed explaining your issue
Please post configurations (if applicable):
- Items configuration related to the issue
- Sitemap configuration related to the issue
- Rules code related to the issue
- Services configuration related to the issue
If logs where generated please post these here using code fences:

I have made a key-based authorization to another server/Synology NAS with the user openhabian
This script finds the last video file from the Synology Surveillance files and post that video to Telegram, activated on an external trigger.

   ssh-keygen

after that copied the key to the server with

ssh-copy-id username@remote_host

The instructions came from This website

And the script that I run works perfect in CLI (Putty)
If I run the script from an openHAB rule it doesn’t work

  var String TestNr =  executeCommandLine("/home/openhabian/testvideo.sh" , 4000)
  logInfo("Script tester", "de ontvangen waarde is " + TestNr)

My error message is

Host key verification failed.

adding a whoami in the script tells me that not openhabian is using the script but openhab

Is there a way to login to the CLI as user openhab?
So I can generate a ssh key for openhab.

For anyone interested in the script.

#!/bin/bash
# ############################################# #
# File to retreive a video from synology server #
# ############################################# #

# Set de directory and the selected camera
VIDEODIR='/volume1/surveillance/'
CAMERA='cameraname/'
USER_AT_SERVER='username@server'

# Set the Telegram token
TOKEN="00000000:jdhhddjjjdjjdjdjdjdjdjddj"
# Set the receiver
RECEIVER="123456789"
# Set silent to 'true' if you do not want a notification if video arrives
SILENT='true'

#determine date and what time of day it
DATUM=$(date +%Y%m%d)
HOUR=$(date +%k)
AMPM='AM'

# this is needed because if locale doesn't use AM-PM for times
# from 12 onwards it is PM
if [[ ${HOUR} -gt '11' ]]
then
  AMPM='PM'
fi

echo "Dateformat Synology Surveillance:  ${DATUM}${AMPM}"
# Built the full path
FULLPATH="${VIDEODIR}${CAMERA}${DATUM}${AMPM}/"

# Do a directory check on the remote server
if ssh ${USER_AT_SERVER}  "[ ! -d ${FULLPATH} ]"
then
   echo 'The directory for this time frame is not available yet.' >&2
   exit 1
fi

# Check if there are videos available
FCOUNT=$(ssh ${USER_AT_SERVER} ls -f ${FULLPATH}*.mp4 | wc -l)
echo ${FCOUNT}
if [[ ${FCOUNT} -eq 0 ]]
then
   echo 'There is no video available at this moment.' >&2
   exit 1
else
   echo "There are ${FCOUNT} video(s) in this directory."
   echo "Will only show the last one."
fi

# Get the filename of the last video
FILENAME=$(ssh ${USER_AT_SERVER} ls ${FULLPATH} | tail -1)
if [[ ${?} -ne 0 ]]
then
  echo "Something went wrong" >&2
  exit 1
else
echo "${FILENAME}"
fi
SNAPVIDEO="/var/tmp/${FILENAME}"
#copy the video to a local folder
scp ${USER_AT_SERVER}:${FULLPATH}${FILENAME} ${SNAPVIDEO}


# next we must add script to send to telegram
# Send Telegram message with video
curl -s -X POST "https://api.telegram.org/bot${TOKEN}/sendMediaGroup" -F chat_id="${RECEIVER}" -F media='[{"type":"video","media":"attach://video_1","caption":"Video"}]' -F video_1="@$SNAPVIDEO" -F disable_notification="${SILENT}"

# Remove video from /var/tmp
rm $SNAPVIDEO

exit 0

Bruce_Osborne · January 31, 2020, 10:59am

This appears to be an ssh question. The keys are stored in a hidden ,ssh folder in the user’s home directory. I do not know enough about the Synology OS to direct you on how to find where that is located. The permissions of the folder and files are critical for security too.

This is why we work to help people develop a solution rather than provide one to be copied. You need to understand how your system works to properly support it.

Charley · January 31, 2020, 11:14am

@Bruce_Osborne

I have checked the openHAB raspberry there is no home directory for the openhab user.

    From the etc/passwd file
    openhab:x:110:115:openhab2 runtime user,,,:/var/lib/openhab2:/bin/false


    [12:11:03] openhabian@openhab:/home$ pwd
    /home
    [12:11:09] openhabian@openhab:/home$ ls -al
    total 12
    drwxr-xr-x  3 root       root       4096 Jul 10  2019 .
    drwxr-xr-x 21 root       root       4096 Oct 31 11:56 ..
    drwxr-xr-x 10 openhabian openhabian 4096 Jan 30 13:51 openhabian

The openhab user has an UID of 110

The Synology OS is debian based.

Before my ssh key are copied to the Synology i have to generate them on the raspberry.
That’s the part I am not able to do.

The next step would be ssh-copy-id to the Synology. If I can make the key in the previous step copy would be the easy part.

Bruce_Osborne · January 31, 2020, 11:31am

That is the home directory.

Charley · January 31, 2020, 11:42am

@Bruce_Osborne

How do I login as user openhab on an openhabian Raspberry 4 4GB?
I have tried with a Monitor and a keyboard directly on the raspberry but have an empty screen.

Bruce_Osborne · January 31, 2020, 11:47am

You don’t. You can copy things in place as the root user and set the proper permissions. This is a Linux and ssh question that is really off-topic for this forum.
I do not have time it dive into how to set Linux permissions and what permissions are needed for ssh. If the permissions are not secure enough ssh will not work.

Wolfgang_S · January 31, 2020, 6:25pm

From the /etc/passwd file
openhab:x:110:115:openhab2 runtime user,:/var/lib/openhab2:/bin/false

According to /etc/passwd the shell of this user is set to /bin/false. This entry does not allow a login for this user. The shell would have to be changed to a valid one. This shell ( /bin/false ) is used for security reasons to not allow any login.

Charley · January 31, 2020, 6:37pm

Too bad, there is no easy way to get it done. @Wolfgang_S and @Bruce_Osborne thanks for your input.

Wolfgang_S · January 31, 2020, 8:45pm

I re-read your postings.
What you may try is:

create a .ssh directory under openhab user homedirectory
put the private key into this directory
make sure that the permission of that directory and private key is set to read for openhab user only
you can use the user root to do these actions
make sure that the directory and ssh private key is owned by the user openhab
doing this you should be able to use the private key from user openhab
of course on the remote site you need to import the public key of user openhab then

Charley · February 1, 2020, 7:20am

@Wolfgang_S

Fantastic it is working as desired.
Many thanks for your help.