Of Exec binding and keys and permissions

rlkoshak · December 23, 2015, 10:22pm

I have spent the past several weeks debugging a problem I’ve had with my use of the Exec binding and I think I just figured it out.

First of all, it took until now to follow my own advice and add in some logging statements. It just goes to show that we should never assume we know what is going on.

The environment:

openHAB is running on an old laptop running the latest Ubuntu
A remote Raspberry Pi (first gen) running wheezy

I have a script that ssh to the RasPi and executes a command to restart a service. My goal is to set up a switch that will cause this script to run.

I set up my keys so the openhab user can log in without a password and sudoers is configured so a password is not required to execute the service command on the RasPi.

When I execute the script as my user it works.

When I execute the script as the openhab user using sudo runuser -l -c 'path to script' it works

When I executed it from an Item configured with the Exec binding I would get nothing.

I tried all sorts of experiments to figure out what the problem was. I was convinced that the problem was a difference between the two environments and I was right, but it wasn’t what I expected which is why I’m sharing this here.

When I turned the switch to a dumb switch and used the executeCommandLine action instead of the binding, and logged out what the command produced I saw this:

2015-12-23 14:47:52.188 [INFO ] [nhab.model.script.Reset Garage] - Attempting to reset mqttReporter
2015-12-23 14:47:52.573 [INFO ] [nhab.model.script.Reset Garage] - Garage mqttReporter reset with result: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/var/lib/openhab/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/var/lib/openhab/.ssh/id_rsa": bad permissions
Permission denied (publickey).

Huh? When I generated and copied the keys to ~openhab/.ssh it used the default mask and indeed the private key was -rw-r--r--. Once I switched it to -rw------ everything worked great.

Now why it worked when I ran it using runuser -l I can’t say. But for all you Exec binding users out there who can’t seem to figure out why you can run the script from the command line but it won’t work through openHAB, set up a rule, use the executeCommandLine action (with the timeout so you can get the output) and log what the output actually is. You might be surprised.

Cyberzoid · March 22, 2016, 7:05pm

Hello user from the past
I had this exact problem and solved it by googling “Permissions 0644 for ‘.ssh/id_rsa’ are too open.”

Which led me to this Stackoverflow post

tldr::Basicaly chmod 600 id_rsa

Hope this helps future readers

rlkoshak · March 22, 2016, 8:24pm

Thanks. I solved it long ago and forgot to come back and post it here. The root problem actually came from the fact that the setpermissions.sh script which runs every time you start openHAB does a chmod of ug+rw on all the files in ~openhab, including the .ssh folder.

Cyberzoid · March 22, 2016, 8:33pm

Ya I’ve seen many comments about the setpermissions.sh script.
So if RW is value 6, doesn’t the setpermissions.sh scrip set the files to 600 or 660?
If its 600 then No issue I believe.

Regardless setting the keys to 600 worked for me.

rlkoshak · March 22, 2016, 8:47pm

The script gave read write permissions to the Group.

I should note that the setpermissions.sh script was updated to not do this with the 1.8.2 release last night.

Cyberzoid · March 22, 2016, 9:27pm

Runs update–Sees ‘many’ updates for openhab & bindings

Nice so supposedly we dont have to worry about setpermissions.sh affecting keys anymore

Massimo · August 23, 2020, 12:51pm

Hi,
I use a raspberry 4 with the latest version of openhabian: Linux openhab 4.19.118-v7l+ #1311 SMP Mon Apr 27 14:26:42 BST 2020 armv7l

I use an exec binding to access another linux system in SSH and this is the log of the problem.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0660 for ‘/var/lib/openhab2/.ssh/id_rsa’ are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key “/var/lib/openhab2/.ssh/id_rsa”: bad permissions
Permission denied, please try again.
Permission denied, please try again.
volumio@192.168.1.21: Permission denied (publickey,password).

I change permissions a lot of times but but some script bring back permissions to 0660 when system restart.
I don’t find any setpermissions.sh script. Can someone help please. I tought that was openhabian related but then I find this post so maybe it’s OH related.
Best regards

rlkoshak · August 25, 2020, 3:57pm

This thread is over four years old. There is no longer a setpermissions.sh script.

I believe the mechanism that checks the files in openHAB now only changes ownership, not permissions. I recommend opening a new thread.

Massimo · August 28, 2020, 11:24am

Thank you rlkoshak, if there is no longer a setpermissions.sh script maybe could be an Openhabian problem and it’s not openhab related. I’m going to check this possibility then if I can’t find the solution I’m going to open a new thread.
Best regards