SSH command add to whitelist

Hello, i cant run ‘ssh user@ sudo shutdown -h now’ from openhab.

I copied the same line in whitelist file. Probably the syntax is not right,but there was no example in file and i cannot find any examples.

This is what i get in log.
2023-12-25 18:44:00.097 [WARN ] [ng.exec.internal.handler.ExecHandler] - Tried to execute ‘ssh user@ sudo shutdown -h now’, but it is not contained in whitelist.

Whitelist file.

Do you have to use the exec binding? If not use executeCommandLine instead. It does not require whitelisting.

Don’t use quotes in the whitelist nor in the exec command. Use the full path to call ssh

/usr/bin/ssh user@ sudo shutdown -h now

Please be aware that this is not the recommended way to shutdown a remote machine (although it should work and is easy).

I am total sunday code writer this is my first time i hear that shutdown -h is not good could you share the right way?

Probably i dont need to use exec, but that was the only solution i found, if you could share other possibility i would appreciate it.

Ah, sorry, this was a bit confusing…
There is no problem with shutdown -h now (although poweroff is shorter), but my point is, the sudo over ssh is not the “right” way to do it.

The clean way to do it, is to create a small script on the remote machine, which will execute the shutdown command. As this command is only allowed for a privileged user, you will need to setup a nopasswd policy in /etc/sudoers for that command and the (local) user which shall be allowed to send the command without password. (use visudo for that part!)
To execute that script, you should setup a pair of keys to allow user openhab to login without password, then copy the public key to the remote machine and setup an allowed command (in authorized_keys, the command is the script on the remote machine).
In openHAB, you are now able to use ssh -i .ssh/id_file <user>@remotehost script parameter
parameter will be sent to script, so you can send different commands, but each command has to be configured in the remote script.