So im shutting down pfsense via a rule. I’ve installed the cron package on pfsense which allows a command to be run without a password, this works fine.
I also used the ssh key gen to setup pub/private keys, so ssh user@192.168.1.254 also works fine from openhab
My rule below fails though, ive tried many permutations without success. Any guidance would be great!
rule "Shutdown Firewall"
when
Item shutdownfirewall changed to ON
then
shutdownfirewall.postUpdate(OFF)
Thread::sleep(100)
executeCommandLine("sudo@ssh@user@192.168.1.254@sudo@/etc/rc.halt")
end
09:06:40.920 [WARN ] [del.core.internal.ModelRepositoryImpl] - Configuration model 'system.rules' has errors, therefore ignoring it: [10,28]: no viable alternative at input '"results- "'
[10,48]: extraneous input ')' expecting 'end'
rule "Shutdown Firewall"
when
Item shutdownfirewall changed to ON
then
shutdownfirewall.postUpdate(OFF)
Thread::sleep(100)
executeCommandLine("ssh@nsautomate@192.168.1.254@'sudo@/etc/rc.halt'")
var result = executeCommandLine("sudo ...")
logInfo("exectest"."results- " + result)
end
rule "Shutdown Firewall"
when
Item shutdownfirewall changed to ON
then
shutdownfirewall.postUpdate(OFF)
Thread::sleep(100)
var result = executeCommandLine("sudo ssh@nsautomate@192.168.1.254@'sudo@/etc/rc.halt'")
logInfo("exectest", "results- " + result)
end
changed them to @@, same issue. prints nothing im afraid.
rule "Shutdown Firewall"
when
Item shutdownfirewall changed to ON
then
shutdownfirewall.postUpdate(OFF)
Thread::sleep(100)
var result = executeCommandLine("sudo ssh@@nsautomate@192.168.1.254@@sudo@@/etc/rc.halt")
logInfo("exectest", "result-" + result)
end
As said, that suggests your rule may not be running. Why not find out?
rule "Shutdown Firewall"
when
Item shutdownfirewall changed to ON
then
logInfo("exectest", "rule triggered")
...
Thinking on it, another possibility for failing to get to the other logInfo is that the script call never returns.
You should add a timeout to your call, so it cannot wait forever.
var result = executeCommandLine("sudo ... halt" , 5000)
Yeah this is different in that im executing a command as openhab, but logging in as another user. This is non interactive. Different to the example in the link youve posted
Why do you run the ssh command using sudo (sudo ssh ....)? There should be no need to do so. The ssh client is executed on your local openHab node, not on the pfsense node.
When generating the private/pub keys, were you logged in as user openhab?
Unless you run openHAB as user root (which you shouldn’t), this will not work. Normally, openHab will run as user openhab so you will need to generate the private/public key pair as user openhab (at least that is the easiest way to do it since they will then end up in the correct home directory). If your running openhabian, then the home directory for the openhab user is not /home/openhab/…
Anyone reading this who cannot ‘guess the rest’ should not follow the advise given in this thread. Anyone who can ‘guess the rest’ will understand that he/she should not follow the advise given in this thread.
The whole idea of computer security is defense in depth. Why don’t we just run everything as root all the time? Why don’t we just log in as root instead of needing to sudo all the time? Why is there a a firewall on the host machine? Why are there file permissions?
It’s ALL to make it more difficult for an attacker to compromise a machine and to limit what they can do on a given machine if they are successful.
When you give the openhab user no password permission to run all commands, you may as well just run openHAB as root. When you run openHAB as root, if someone compromises the machine or compromises your account on myopenhab.org, they can literally do anything on your machine.
So no, the need to protect and limit what the openhab user can do is not limited to just those who expose their OH to the internet. That quote is applicable here as well as to the other thread. It’s a bad idea to give openHAB blanket sudo permissions. It’s a bad idea to run openHAB as root. And honestly, IMHO, it’s a bad idea to install and use the Exec binding. If I could, I’d disable the executeCommandLine Action too. Since I can’t, I rely on the Docker container to limit the damage that can be done should my openHAB get compromised.