Shut down firewall rule not working

dastrix80 · December 27, 2019, 4:16am

Hi All,

I always have issues with openhab executing these rules.

the loginfo output is ‘null’. The remote device (pfsense firewall) has a sudo package installed and has the openhab user defined with a SSH key and root privi to run commands

The rule is:

le "Shutdown Firewall"
when
        Item shutdownfirewall changed to ON
then
        shutdownfirewall.postUpdate(OFF)
        Thread::sleep(300)
        var result = executeCommandLine("sudo ssh openhab@192.168.1.254 sudo /etc/rc.halt,5000")
        logInfo("exectest", "results- " + result)
end


15:10:59.041 [INFO ] [clipse.smarthome.io.net.exec.ExecUtil] - executed commandLine 'sudo ssh openhab@192.168.1.254 sudo /etc/rc.halt,5000'
15:10:59.042 [INFO ] [lipse.smarthome.model.script.exectest] - results- null

Ive no idea why this supposedly simple task is insanely complex to do!

Any pointers would be great. sudo visudo already has the openhab user defined with the ability to run all commands

Thanks!

mstormi · December 27, 2019, 9:21am

Maybe because it’s not supposed to build it like that ? To remotely shutdown whatever usually is just sign of a deeper lying, still not correctly solved problem, this is why I dislike helping people with these.

Anyway, try removing the first sudo. It makes you ssh into your remote box as root, not openhab.

Maurits28 · December 27, 2019, 9:35am

Try to put your ssh command between these ’ ’ . Also put the timeout outside the " ".

executeCommandLine("ssh openhab@192.168.1.254 'sudo /etc/rc.halt'", 5000)

dastrix80 · December 27, 2019, 10:15am

Hi Markus, not sure what you mean, but shutting down a firewall via a ssh command is a perfectly legitimate way to shut the firewall down.

But I created the user on the server as openhab, for this purpose. I don’t want to use root.

Maurits, thanks, ill give that a go!!

Bruce_Osborne · December 27, 2019, 11:00am

Usually needing to do that is a workaround to avoid an issue of some sort. The REAL issue could cause you other problems later. The correct solution is to fix the original issue, not lower your security.

mstormi · December 27, 2019, 1:13pm

He’s (almost) safe when he succeeds in shutting down his inet connection, isn’t he ?
No need to bother about re-activation, hackers or accidents to trigger this.
Actually I once saw the ‘perfect firewall device’ advertised on Ebay. It had resemblances to a wire cutter but hey, it was only $29.99 and it’s safe !

PS: sorry if you don’t share my humor.

dastrix80 · December 27, 2019, 9:03pm

Seriously?

Bruce_Osborne · December 27, 2019, 9:05pm

The voice of experience says “yes”. Ignored little issues can come back to bite you in the a$$ when it is least convenient to deal with it.

dastrix80 · December 27, 2019, 9:07pm

yawn Given I work in IT security let me assure you the need to shut down the firewall by my parents (using their home automation software) who are in their 60s because of possible bushfires is not masking another issue but thanks .

mstormi · December 27, 2019, 10:12pm

If there was a bush fire I’d rather run than worry about IT equipment but ok.
Forgive Bruce and me, he’s right for >99% of cases where people ask to reboot or halt systems.

rossko57 · December 27, 2019, 10:33pm

Have you fixed the timeout error yet?

dastrix80 · December 27, 2019, 10:45pm

hi rossko57, time out? is that the null? Ive made the changes suggested above but not yet tested it. I will today

rossko57 · December 27, 2019, 10:52pm

As Maurits says

with no effective timeout, I understand exec returns immediately without waiting for results from your call, so yes it would always be null return.

dastrix80 · December 27, 2019, 11:34pm

Fixed the verification issues, the loginfo now shows

16:18:00.241 [ERROR] [untime.internal.engine.RuleEngineImpl] - Rule 'Shutdown Firewall': An error occurred during the script execution: null

Maurits28 · December 28, 2019, 5:30am

Maybe increase the timeout to 15000?

dastrix80 · December 28, 2019, 5:33am

I did try that, i wasnt receiving anything in the logs, now again, I receive this:

results- Host key verification failed.

yet I can login just fine?

server@ihp:~/.ssh$ ssh openhab@192.168.1.254
[2.4.4-RELEASE][openhab@pfSense.server.ddns.net]/home/openhab:

Maurits28 · December 28, 2019, 6:21am

Hi, your issue is that from the command line the user is ‘server’ who is doing the login, however when openHAB executes it, it is from the user ‘openhab’. So that is why you have the host key error.

You can try to do the ssh from the command line with the openhab user:

sudo -u openhab ssh openhab@192.168.1.254

dastrix80 · December 28, 2019, 6:26am

You’re right, I cant login using the openhab user

How do I go about resolving it Maurits28? The openhab user is defined on the pfsense device with the key that was created on openhab from the key.pub file

Maurits28 · December 28, 2019, 6:57am

You need to share the pub key of the openhab user on the openhab device. I can’t remember how I did this myself. You can search this forum for clues, or search general linux fora to see how to create a key set for a different user.
Now on the road, so can’t check my notes.

dastrix80 · December 28, 2019, 7:22am

Thats OK, ive looked and looked (near 6hrs now!) i try and create a key for the open hab user, copy it to the remote machine but then it asks for a password. As far as I know the openhab user has no password. So i get authentication failures

Its just so stupidly complex when it shouldnt be!

if youve got some notes, id love for you to share them at some stage.