Use Openhab to Power ON/OFF your Synology

Based on my earlier problems I will set up a guide on how to include your Synology into Openhab. Mainly this is used to post Status and to Turn the Synology ON/OFF via Openhab.

The main reason behind the setup is to be able to login to the Synology without using a password, as well as running the poweroff command without the need to enter a password. This enables us to shutdown the Synology with just one command.

I am running openHABian distro on a Raspberry Pi 3 B+ and a Synology DS-215j on newest DSM.

This is a step by step guide:

1. Create a user Openhab on Synology.
This is probably an optional point, but I did it anyway. Login to your Synology via Webinterface, add another user (I used openhab as username). Grant this user admin rights and access to homes folder (read/write).

1.1 Allow password-less login via SSH on Synology

• Login with SSH on your synology
• Open sshd_config
  sudo vi /etc/ssh/sshd_config
• Uncomment the lines - Remote the #

#RSAAuthentication yes
#PubkeyAuthentication yes

• Restart SSH Service:
  sudo synoservicectl --reload sshd

2. Enable poweroff access.
To enable access to poweroff function we need to edit the sudoers file.
Therefore use PuTTy (or other ssh tool) to remotely login to your Synology. Use an admin user (or the just created openhab). After logging in switch to user root

sudo -i

Then edit the sudoers file with this command

sudo vi /etc/sudoers

Add the follwing line. This will ensure that no password is required to execute the poweroff command (I guess one could leave the reboot/shutdown out of this line since you will use the poweroff mainly)

%administrators ALL=(ALL) NOPASSWD: /sbin/poweroff, /sbin/reboot, /sbin/shutdown

Save the file and exit.
If you dont know how to operate vi editor please use this link (thats where I figured it out: Basic vi Commands)

3. Set up SSH-Keys for password-less login
(most of this step is taken from How to Setup SSH Passwordless Login in Linux )
So basically you want to set up a key-pair, so the Synology allows login from user openhab on your openHABian.

A) Start your openhab-device Terminal as user openhabian (or remotely login via puTTy) then generate the keys:

ssh-keygen -t rsa

Hit Enter for all questions (file to save key, as well as passphrase)

B) Create a .ssh folder on your Synology via ssh
The follwing command will remotely create a .ssh folder on your Synology in user openhab homefolder (assuming that 192.167.178.50 is the IP adress of Synology and port for SSH is not changed).

ssh openhab@192.167.178.50 mkdir -p .ssh

If this is your first login confirm the dialog by typing yes.
Enther password for user openhab on Synology.

EDIT: Alternative:
ssh-copy-id openhab@192.167.178.50

C) Copy the generated keys form the Raspberry to Synology

cat .ssh/id_rsa.pub | ssh openhab@192.167.178.50 ‘cat >> .ssh/authorized_keys’

D) Permission change for .ssh files on Synologvy via remote:
This command will set the permissons on the authorized_keys file to read/write/change only for the user openhab. If this is not done the keys will not be accepted.

ssh openhab@192.167.178.50 “chmod 700 .ssh; chmod 640 .ssh/authorized_keys”

After this command we are finished with setting up the Synology. Now we have to set up the RaspberryPi user openhab with the key-files.

EDIT (input from @borcon)
ssh openhab@192.167.178.50 "chmod 755 /volume1/homes/openhab"
This command is needed because the ssh service does not allow full rights.

After this you should test the passwordless connection manually. If this works you can proceed.
If the connection is not working then there is a good debug possibility.

Run command on synology - this opens a second SSH Port for debugging:
sudo /bin/sshd -d -p 1234

Type in the ssh from your openhab the following command:
ssh openhab@192.167.178.50 -p 1234
The SSH session on the synology shows now, why the passwordless connection did not work. In most cases the userrights a wrong.

4. Transfer keys to user openhab
Tranfer the keys on your raspberry from /home of openhabian to home of openhab so Synology accepts passwordless login from user _openhab:

First we need to change the permissions on .ssh folder so it is readable by all users (execute from /home of user openhabian)

sudo chmod -R 777 .ssh/

Now we want to copy the folder/files to /home of user openhab. This can only be done by executing a command as openhab.

Sudo –u openhab cp –r .ssh ~openhab/

The folder is still set up with the wrong permissions, so we need to change those as user openhab

Sudo –u openhab chmod 700 ~openhab/.ssh/known_hosts
Sudo –u openhab chmod 700 ~openhab/.ssh/id_rsa.pub
Sudo –u openhab chmod 700 ~openhab/.ssh/id_rsa
Sudo –u openhab Chmod 700 ~openhab/.ssh

EDIT: Some improvements on user rights: Change the rights back to original (on the pi). I have neglected these in my instructions as all devices are only accessible locally (or via VPN).

The default rights are:
/home/openhabian/.ssh –> chmod 700
/home/openhabian/.ssh/id_rsa –> chmod 600 (Private Key)
/home/openhabian/.ssh/id_rsa.pub –> chmod 644 (Public Key)
/home/openhabian/.ssh/known_hosts –> chmod 644

After this you are done and should be able to use the follwing command to login to your Synology.

sudo -u openhab ssh openhab@192.167.178.50

Since this is the first login you will have to confirm once again with yes and enter the password.
From now on you should not need to enter a password anymore.

Try using (from user openhabian on your Raspberry).

Sudo –u openhab ssh openhab@192.167.178.50 sudo poweroff

Your Synology should shut down. If you got this to work you are now able to use the below command in a rule to shutdown your Synology with openHAB.

executeCommandLine(“ssh openhab@synologyIP sudo poweroff”, 5000)

I will add a sample .items .rules .sitemap some other day.

Most of my “how I did it is online”.

Feedback / corrections are most welcome.

Hi @flautze,

i tried your tutorial, but with your steps it did not work. You have some steps forgotten and you can improve some parts.
Can you update your tutorial?

First step to allow a password-less login is to allow this in the ssh service from your synology.

• Login with SSH on your synology
• Open sshd_config
  sudo vi /etc/ssh/sshd_config
• Uncomment the lines - Remote the #
  #RSAAuthentication yes
#PubkeyAuthentication yes
• Restart SSH Service:
  sudo synoservicectl --reload sshd

Step 3 B - C can be replaced with one command:
ssh-copy-id openhab@192.167.178.50

This command should be added to Step 3:
ssh openhab@192.167.178.50 "chmod 755 /volume1/homes/openhab"
This command is needed because the ssh service does not allow full rights.

After step 3, i think the users should first test the passwordless connection and if it works, than continue with step 4.

If the connection is not working then there is a good debug possibility.
Run command on synology - this opens a second SSH Port for debugging:
sudo /bin/sshd -d -p 1234

Type in the ssh from your openhab the following command:
ssh openhab@192.167.178.50 -p 1234
The SSH session on the synology shows now, why the passwordless connection did not work. In most cases the userrights a wrong.

In Step 4, first command you change the rights of the .ssh dir. After the copy command you shoud restore the user rights. It’s not good to allow each user access to the private key. High Security Risk.

The default rights are:
/home/openhabian/.ssh --> chmod 700
/home/openhabian/.ssh/id_rsa --> chmod 600 (Private Key)
/home/openhabian/.ssh/id_rsa.pub --> chmod 644 (Public Key)
/home/openhabian/.ssh/known_hosts --> chmod 644

At last step you can do some Security Improvements on Synology:

• Deny openhab user in GUI access to each folder execpt the homes folder
• Deny access to all applications in GUI
• Do not allow the openhab user to change his own password in GUI

I tried these steps with my raspberry and synology ds216play.

Thanks for your feedback. I have edited it in the tut, however I do not recall I had to do those steps. Problem is I only did those once, so I cannot redo the steps here.

Just for future readers, for openhab 3 I had to do 2 thing differently:
The exec command syntax is different now, and had to separate arguments in the exec command.

The other one is that I actually needed to generate the ssh keys as user openhab.

Also so the option “RSAAuthentication yes” wasn’t necessary and isnt a valid option anymore.

I know you posted that 2 year ago but I’m trying to shutdown a Synology server from Openhab3 and when I call

executeCommandLine("sudo", "-u", "openhab", "ssh", "openhab@xxx.xxx.xxx.xxx", "sudo", "poweroff");

I get the following error ‘Sorry, user openhab is not allowed to execute ‘/usr/bin/ssh openhab@xxx.xxx.xxx.xxx sudo poweroff’ as openhab on openHABianDevice.’ What do you mean exactly by

The other one is that I actually needed to generate the ssh keys as user openhab.

On openhab server I only have openhabian user and openhab user only exists on the Synology server.

Actually user openhab exists also in the server and needs to be enabled to run SSH.
It may help you this thread

Ok, thank you. You are right. I was mixing up users between the ‘Openhabian’ device and the Synology server.

What I did and finally works:

• As said @Mark_Vitarius, The executeCommandLine needs to pass all the “words” of the command as an argument (what they actually are when you type a command).
• Still as @Mark_Vitarius said, I copied (it was already generated) the ssh keys to the synology by typing

sudo -u openhab ssh-copy-id openhab@xxx.xxx.xxx.xxx

what forces the user openhab from the openhabian device to copy his ssh keys to the openhab user on the Synology.

• As the thread you kindly mentioned, I had to add the user openhab (from the Openhabian device) to the sudoers with no password.

Thank you for your help @Lionello_Marrelli. I lost a whole day trying unsuccessfully, and your help allowed me to accomplish it in just an hour.

Hello @all,
i’ve running openhab in a docker on synology.
Do i have to do the same things (like in the tutorial) for restart the container from OH side ?

Thx Stephan