Use Openhab to Power ON/OFF your Synology

shutdown
synology
wake-on-lan
Tags: #<Tag:0x00007f0147252c78> #<Tag:0x00007f0147252b38> #<Tag:0x00007f01472529d0>

(Felix) #1

Based on my earlier problems I will set up a guide on how to include your Synology into Openhab. Mainly this is used to post Status and to Turn the Synology ON/OFF via Openhab.

The main reason behind the setup is to be able to login to the Synology without using a password, as well as running the poweroff command without the need to enter a password. This enables us to shutdown the Synology with just one command.

I am running openHABian distro on a Raspberry Pi 3 B+ and a Synology DS-215j on newest DSM.

This is a step by step guide:

1. Create a user Openhab on Synology.
This is probably an optional point, but I did it anyway. Login to your Synology via Webinterface, add another user (I used openhab as username). Grant this user admin rights and access to homes folder (read/write).

1.1 Allow password-less login via SSH on Synology

  • Login with SSH on your synology
  • Open sshd_config
    sudo vi /etc/ssh/sshd_config
  • Uncomment the lines - Remote the #

#RSAAuthentication yes
#PubkeyAuthentication yes

  • Restart SSH Service:
    sudo synoservicectl --reload sshd

2. Enable poweroff access.
To enable access to poweroff function we need to edit the sudoers file.
Therefore use PuTTy (or other ssh tool) to remotely login to your Synology. Use an admin user (or the just created openhab). After logging in switch to user root

sudo -i

Then edit the sudoers file with this command

sudo vi /etc/sudoers

Add the follwing line. This will ensure that no password is required to execute the poweroff command (I guess one could leave the reboot/shutdown out of this line since you will use the poweroff mainly)

%administrators ALL=(ALL) NOPASSWD: /sbin/poweroff, /sbin/reboot, /sbin/shutdown

Save the file and exit.
If you dont know how to operate vi editor please use this link (thats where I figured it out: https://www.cs.colostate.edu/helpdocs/vi.html)

3. Set up SSH-Keys for password-less login
(most of this step is taken from https://www.tecmint.com/ssh-passwordless-login-using-ssh-keygen-in-5-easy-steps/ )
So basically you want to set up a key-pair, so the Synology allows login from user openhab on your openHABian.

A) Start your openhab-device Terminal as user openhabian (or remotely login via puTTy) then generate the keys:

ssh-keygen -t rsa

Hit Enter for all questions (file to save key, as well as passphrase)

B) Create a .ssh folder on your Synology via ssh
The follwing command will remotely create a .ssh folder on your Synology in user openhab homefolder (assuming that 192.167.178.50 is the IP adress of Synology and port for SSH is not changed).

ssh openhab@192.167.178.50 mkdir -p .ssh

If this is your first login confirm the dialog by typing yes.
Enther password for user openhab on Synology.

EDIT: Alternative:
ssh-copy-id openhab@192.167.178.50

C) Copy the generated keys form the Raspberry to Synology

cat .ssh/id_rsa.pub | ssh openhab@192.167.178.50 ‘cat >> .ssh/authorized_keys’

D) Permission change for .ssh files on Synologvy via remote:
This command will set the permissons on the authorized_keys file to read/write/change only for the user openhab. If this is not done the keys will not be accepted.

ssh openhab@192.167.178.50 “chmod 700 .ssh; chmod 640 .ssh/authorized_keys”

After this command we are finished with setting up the Synology. Now we have to set up the RaspberryPi user openhab with the key-files.

EDIT (input from @borcon)
ssh openhab@192.167.178.50 "chmod 755 /volume1/homes/openhab"
This command is needed because the ssh service does not allow full rights.

After this you should test the passwordless connection manually. If this works you can proceed.
If the connection is not working then there is a good debug possibility.

Run command on synology - this opens a second SSH Port for debugging:
sudo /bin/sshd -d -p 1234

Type in the ssh from your openhab the following command:
ssh openhab@192.167.178.50 -p 1234
The SSH session on the synology shows now, why the passwordless connection did not work. In most cases the userrights a wrong.

4. Transfer keys to user openhab
Tranfer the keys on your raspberry from /home of openhabian to home of openhab so Synology accepts passwordless login from user _openhab:

First we need to change the permissions on .ssh folder so it is readable by all users (execute from /home of user openhabian)

sudo chmod -R 777 .ssh/

Now we want to copy the folder/files to /home of user openhab. This can only be done by executing a command as openhab.

Sudo –u openhab cp –r .ssh ~openhab/

The folder is still set up with the wrong permissions, so we need to change those as user openhab

Sudo –u openhab chmod 700 ~openhab/.ssh/known_hosts
Sudo –u openhab chmod 700 ~openhab/.ssh/id_rsa.pub
Sudo –u openhab chmod 700 ~openhab/.ssh/id_rsa
Sudo –u openhab Chmod 700 ~openhab/.ssh

EDIT: Some improvements on user rights: Change the rights back to original (on the pi). I have neglected these in my instructions as all devices are only accessible locally (or via VPN).

The default rights are:
/home/openhabian/.ssh --> chmod 700
/home/openhabian/.ssh/id_rsa --> chmod 600 (Private Key)
/home/openhabian/.ssh/id_rsa.pub --> chmod 644 (Public Key)
/home/openhabian/.ssh/known_hosts --> chmod 644

After this you are done and should be able to use the follwing command to login to your Synology.

sudo -u openhab ssh openhab@192.167.178.50

Since this is the first login you will have to confirm once again with yes and enter the password.
From now on you should not need to enter a password anymore.

Try using (from user openhabian on your Raspberry).

Sudo –u openhab ssh openhab@192.167.178.50 sudo poweroff

Your Synology should shut down. If you got this to work you are now able to use the below command in a rule to shutdown your Synology with openHAB.

executeCommandLine(“ssh openhab@synologyIP sudo poweroff”, 5000)


I will add a sample .items .rules .sitemap some other day.


[SOLVED] Power on/off Synology Diskstation with Openhab2
(Felix) #2

Most of my “how I did it is online”.

Feedback / corrections are most welcome.


(borcon) #3

Hi @flautze,

i tried your tutorial, but with your steps it did not work. You have some steps forgotten and you can improve some parts.
Can you update your tutorial?

First step to allow a password-less login is to allow this in the ssh service from your synology.

  • Login with SSH on your synology
  • Open sshd_config
    sudo vi /etc/ssh/sshd_config
  • Uncomment the lines - Remote the #
    #RSAAuthentication yes
    #PubkeyAuthentication yes
  • Restart SSH Service:
    sudo synoservicectl --reload sshd

Step 3 B - C can be replaced with one command:
ssh-copy-id openhab@192.167.178.50

This command should be added to Step 3:
ssh openhab@192.167.178.50 "chmod 755 /volume1/homes/openhab"
This command is needed because the ssh service does not allow full rights.

After step 3, i think the users should first test the passwordless connection and if it works, than continue with step 4.

If the connection is not working then there is a good debug possibility.
Run command on synology - this opens a second SSH Port for debugging:
sudo /bin/sshd -d -p 1234

Type in the ssh from your openhab the following command:
ssh openhab@192.167.178.50 -p 1234
The SSH session on the synology shows now, why the passwordless connection did not work. In most cases the userrights a wrong.

In Step 4, first command you change the rights of the .ssh dir. After the copy command you shoud restore the user rights. It’s not good to allow each user access to the private key. High Security Risk.

The default rights are:
/home/openhabian/.ssh --> chmod 700
/home/openhabian/.ssh/id_rsa --> chmod 600 (Private Key)
/home/openhabian/.ssh/id_rsa.pub --> chmod 644 (Public Key)
/home/openhabian/.ssh/known_hosts --> chmod 644

At last step you can do some Security Improvements on Synology:

  • Deny openhab user in GUI access to each folder execpt the homes folder
  • Deny access to all applications in GUI
  • Do not allow the openhab user to change his own password in GUI

I tried these steps with my raspberry and synology ds216play.


(Felix) #4

Thanks for your feedback. I have edited it in the tut, however I do not recall I had to do those steps. Problem is I only did those once, so I cannot redo the steps here.