[HA Exploration] Using the nmcli command to manage the network in HA, with root privileges enabled.

• In our recent test environment setup, we used IPv6 to access HA; apart from the addresses frequently changing, it worked very well.
• Typically, both /64 (prefix) and /128 (privacy addresses) coexist.
• HA enables IPv6 privacy extensions by default, so the addresses will change.
• In a standard HA terminal, you cannot access the nmcli command; you must switch to root.
• Standard SSH clients and terminals run within the container, not on the host system.
• nmcli belongs to the HAOS host layer.
• You can use a USB drive to insert a public key file to gain root access, using the command-line ha os import or restarting to execute it.
• Essentially, this writes to /root/.ssh/authorized_keys.
• To revoke this, write a new authorisation file to overwrite it, or delete it directly:
Copy

rm /root/.ssh/authorized_keys

• An interesting method involves using an application plugin called SSH 22222 by lildude ( https://community.home-assistant.io/t/add-on-hassos-ssh-port-22222-configurator/264109 ) . By disabling its protection mode, you can write the public key to the configuration file, run it once, and check the logs to confirm whether it has been enabled.
• Essentially, it also writes to /root/.ssh/authorized_keys
• This plugin does not provide a function to disable SSH.
• It has a web interface, but that is for earning security points.
• To disable it, we would need to delete the root public key file whilst in root mode.
• This file is the core of the entire SSH system.
• There are many tutorials on generating SSH public-private key pairs, including those on GitHub.
• Simply put, you generate two files using the following command:
Copy

ssh-keygen -t ed25519

• The private key remains locally, whilst the public key is written to HA.
• The filenames do not have to be the defaults; you can customise them.
• If you have multiple files, you will need to create an SSH configuration file locally, add the host (your HA address) to it, and then connect to that address via SSH.
• Once logged in as root, most files are read-only; critical configuration files such as network settings are mounted.
• You can use nmcli to perform advanced network customisation and similar tasks.
• nmcli configurations may be overwritten after reconfiguring HA’s network; this has not yet been verified.
• HA itself has a set of ha network management logic.
• If you wish to understand how HA fully interprets the entire network configuration and how it generates IPv6 private addresses, nmcli provides a more comprehensive view than the ha network command.
• Within HA, we have also noted the presence of multiple SSH add-ons, including a basic one and an advanced one. We must acknowledge that HA draws on the collective wisdom of many people in numerous areas, but the way these elements are integrated is not always straightforward to understand.
• Each has its own SSH server configuration, essentially running SSH within a container.
• If you open the port, you can connect to this container environment using a client.
• The basic SSH add-on resides within a deeper container.
• Its web interface (the JavaScript component xterm.js ) has some minor issues; copy text when select seems have some bug on mac.
• The advanced SSH add-on appears to be situated slightly closer to the outer layer.
• It resolves some of the scrolling issues, but introduces new interaction problems.
• This plugin requires you to enter some arbitrary information; otherwise, it will not start (used for logging into other services).
• You can use the following within this plugin:to log in with root privileges and then view nmcli.
Copy

ssh 127.0.0.1 -p 22222

• This way, you do not need a client, nor do you need to be near the machine.
• In summary, when you wish to use the nmcli command, you require root privileges; the author’s ssh 22222 is a clever plugin that allows you to enable this without physical access. It is advisable to deactivate root privileges once you have finished.
• The simplest way to deactivate them is to delete the following whilst logged in as root:
Copy

/root/.ssh/authorized_keys

Finally, we would like to provide as comprehensive a demonstration as possible.

• First of all, you will need to have a private key and a public key ready; these are usually generated using the ssh command.

ssh-keygen -t ed25519

1. Two files will then be generated

~/.ssh/id_ed25519 ← Private key (do not disclose) ~/.ssh/id_ed25519.pub ← Public key (can be used with the SSH 22222 plugin)


• To begin with, as we know, we cannot use the nmcli command because we do not have sufficient privileges.

• Write the contents of the public key to the ssh 22222 add-on, start or restart the add-on once, and check the logs. If everything is as expected, we now need to restart the HA system (the entire HA system).This is a one-off tool; once it has been successfully executed, you will never need to run it again unless required.




• Import the key into SSH to enable login. You can do this using Vim or a file editor plugin; here, we’ll use the simpler file editor method.



Copy

➜  ~ mv /config/id_ed25519 ~/.ssh
➜  ~ chmod 600 ~/.ssh/id_ed25519 
➜  ~ ssh 127.0.0.1 -p 22222      
Welcome to Home Assistant OS.

Use `ha` to access the Home Assistant CLI.
# nmcli | head -5
end0: connected to Supervisor end0
        "end0"

• Finally, once we have finished using it, we can delete the public key file whilst logged in as root and restart HA to disable this login capability.

Copy

➜  ~ ssh 127.0.0.1 -p 22222
Welcome to Home Assistant OS.

Use `ha` to access the Home Assistant CLI.
# rm /root/.ssh/authorized_keys 
# systemctl restart dropbear.service
Connection to 127.0.0.1 closed by remote host.
Connection to 127.0.0.1 closed.
➜  ~ ssh 127.0.0.1 -p 22222
ssh: connect to host 127.0.0.1 port 22222: Connection refused