SSH & Web Terminal - Community Hass.io Add-on for Home Assistant
Clone or download

README.md

Community Hass.io Add-ons: SSH & Web Terminal

GitHub Release Project Stage License

GitLab CI Project Maintenance GitHub Activity

Bountysource Discord Community Forum

Buy me a coffee

Support my work on Patreon

This add-on allows you to log in to your Hass.io Home Assistant instance using SSH or by using the Web Terminal.

Web Terminal in the Home Assistant Frontend

About

This add-on allows you to log in to your Hass.io Home Assistant instance using SSH or a Web Terminal, giving you to access your Hass.io folders and also includes a command-line tool to do things like restart, update, and check your instance.

This is an enhanced version of the provided SSH add-on by Home Assistant and focusses on security, usability, flexibility and also provides access using a web interface.

WARNING

The SSH & Web Terminal add-on is a really powerful and gives you virtually access to all tools and almost all hardware of your system.

While this add-on is created and maintained with care and with security in mind, in the wrong or inexperienced hands, it could damage your system.

Features

This add-on, of course, provides an SSH server, based on OpenSSH and a web-based Terminal (which can be included in your Home Assistant frontend) as well. Additionally, it comes out of the box with the following:

  • Access your command line right from the Home Assistant frontend!
  • A secure default configuration of SSH:
    • Only allows login by the configured user, even if more users are created.
    • Only uses known secure ciphers and algorithms.
    • Limits login attempts to hold of brute-force attacks better.
    • Many more security tweaks, this addon passes all ssh-audit checks without warnings! Result of SSH-Audit
  • Passwords are checked with HaveIBeenPwned using K-anonymity.
  • Comes with an SSH compatibility mode option to allow older clients to connect.
  • Support for Mosh allowing roaming and supports intermittent connectivity.
  • SFTP support is disabled by default but is user configurable.
  • Compatible if Hass.io was installed via the generic Linux installer.
  • Username is configurable, so root is no longer mandatory.
  • Persists custom SSH client settings & keys between add-on restarts
  • Log levels for allowing you to triage issues easier.
  • Hardware access to your audio, uart/serial devices and GPIO pins.
  • Runs with more privileges, allowing you to debug and test more situations.
  • Has access to the dbus of the host system.
  • Has the option to access the Docker instance running Hass.io host system.
  • Runs on host level network, allowing you to open ports or run little daemons.
  • Have custom Alpine packages installed on start. This allows you to install your favorite tools, which will be available every single time you log in.
  • Execute custom commands on add-on start so that you can customize the shell to your likings.
  • ZSH as its default shell. Easier to use for the beginner, more advanced for the more experienced user. It even comes preloaded with "Oh My ZSH", with some plugins enabled as well.
  • Contains a sensible set of tools right out of the box: curl, Wget, RSync, GIT, Nmap, Mosquitto client, MariaDB/MySQL client, Awake (β€œwake on LAN”), Nano, Vim, tmux, and a bunch commonly used networking tools.

Installation

The installation of this add-on is pretty straightforward and not different in comparison to installing any other Hass.io add-on.

  1. If you installed the "SSH server" add-on from the built-in add-on, then remove that one first.
  2. Add our Hass.io add-ons repository to your Hass.io instance.
  3. Install the "SSH & Web Terminal" add-on.
  4. Configure the username and password/authorized_keys options.
  5. Activate ssl on the Web Terminal if you use it.
  6. Start the "SSH & Web Terminal" add-on.
  7. Check the logs of the "SSH & Web Terminal" add-on to see if everything went well.

NOTE: Do not add this repository to Hass.io, please use: https://github.com/hassio-addons/repository.

Docker status

Docker Architecture Docker Version Docker Layers Docker Pulls Anchore Image Overview

Docker Architecture Docker Version Docker Layers Docker Pulls Anchore Image Overview

Docker Architecture Docker Version Docker Layers Docker Pulls Anchore Image Overview

Docker Architecture Docker Version Docker Layers Docker Pulls Anchore Image Overview

Configuration

Note: Remember to restart the add-on when the configuration is changed.

SSH add-on configuration:

{
  "log_level": "info",
  "ssh": {
    "enable": true,
    "port": 22,
    "username": "hassio",
    "password": "",
    "authorized_keys": [
      "ssh-rsa AASDJKJKJFWJFAFLCNALCMLAK234234....."
    ],
    "sftp": false,
    "compatibility_mode": false,
    "allow_agent_forwarding": false,
    "allow_remote_port_forwarding": false,
    "allow_tcp_forwarding": false
  },
  "web": {
    "enable": true,
    "port": 7681,
    "username": "hassio",
    "password": "changeme",
    "ssl": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "share_sessions": true,
  "packages": [
    "python",
    "python-dev",
    "py-pip",
    "build-base"
  ],
  "init_commands": [
    "pip install virtualenv",
    "pip install yamllint"
  ]
}

Note: This is just an example, don't copy and paste it! Create your own!

Option: log_level

The log_level option controls the level of log output by the addon and can be changed to be more or less verbose, which might be useful when you are dealing with an unknown issue. Possible values are:

  • trace: Show every detail, like all called internal functions.
  • debug: Shows detailed debug information.
  • info: Normal (usually) interesting events.
  • warning: Exceptional occurrences that are not errors.
  • error: Runtime errors that do not require immediate action.
  • fatal: Something went terribly wrong. Add-on becomes unusable.

Please note that each level automatically includes log messages from a more severe level, e.g., debug also shows info messages. By default, the log_level is set to info, which is the recommended setting unless you are troubleshooting.

Using trace or debug log levels puts the SSH and Terminal daemons into debug mode. While SSH is running in debug mode, it will be only able to accept one single connection at the time.

Option group ssh


The following options are for the option group: ssh. These settings only apply to the SSH daemon.

Option ssh: port

The default port for SSH is 22, some security guides recommend to change the port to something else. Sometimes you'd just like to have it on another port. Remember, if you change to port, be sure it is not in use already!

Option ssh: username

This option allows you to change to username the use when you log in via SSH. It is only utilized for the authentication; you will be the root user after you have authenticated. Using root as the username is possible, but not recommended.

Note: Due to limitations, you will need to set this option to root in order to be able to enable the SFTP capabilities.

Note: This option support secrets, e.g., !secret ssh_username.

Option ssh: password

Sets the password to log in with. Leaving it empty would disable the possibility to authenticate with a password. We would highly recommend not to use this option from a security point of view.

Note: The password will be checked against HaveIBeenPwned. If it is listed, the add-on will not start.

Note: This option support secrets, e.g., !secret ssh_password.

Option ssh authorized_keys

Add one or more public keys to your SSH server to use with authentication. This is the recommended over setting a password.

Please take a look at the awesome documentation created by GitHub about using public/private key pairs and how to create them.

Option ssh: sftp

When set to true the addon will enable SFTP support on the SSH daemon. Please only enable it when you plan on using it.

Note: Due to limitations, you will need to set the username to root in order to be able to enable the SFTP capabilities.

Option ssh: compatibility_mode

This SSH add-on focusses on security and has therefore only enabled known secure encryption methods. However, some older clients do not support these. Setting this option to true will enable the original default set of methods, allowing those clients to connect.

Note: Enabling this option, lowers the security of your SSH server!

Option ssh: allow_agent_forwarding

Specifies whether ssh-agent forwarding is permitted or not.

Note: Enabling this option, lowers the security of your SSH server! Nevertheless, this warning is debatable.

Option ssh: allow_remote_port_forwarding

Specifies whether remote hosts are allowed to connect to ports forwarded for the client.

Note: Enabling this affects all remote forwardings, so think carefully before doing this.

Option ssh: allow_tcp_forwarding

Specifies whether TCP forwarding is permitted or not.

Note: Enabling this option, lowers the security of your SSH server! Nevertheless, this warning is debatable.

Option group web


The following options are for the option group: web. These settings only apply to the Web Terminal.

Option web: username

This option allows you to enable authentication on accessing the terminal. It is only used for the authentication; you will be the root user after you have authenticated. Using root as the username is possible, but not recommended.

Note: This option support secrets, e.g., !secret terminal_username.

Option web: password

Sets the password to authenticate with. If you set a password, username becomes mandatory as well.

Note: The password will be checked against HaveIBeenPwned. If it is listed, the add-on will not start.

Note: This option support secrets, e.g., !secret terminal_password.

Option web: ssl

Enables/Disables SSL (HTTPS) on the web terminal. Set it true to enable it, false otherwise.

Option web: certfile

The certificate file to use for SSL.

Note: The file MUST be stored in /ssl/, which is default for Hass.io

Option web: keyfile

The private key file to use for SSL.

Note: The file MUST be stored in /ssl/, which is default for Hass.io

Shared settings


The following options are shared between both the SSH and the Web Terminal.

Option: share_sessions

By default, the terminal session between the web client and SSH is shared. This allows you to pick up where you left your terminal from either of those.

This option allows you to disable this behavior by setting it to false, which effectively sets SSH to behave as it used to be.

Option: packages

Allows you to specify additional Alpine packages to be installed in your shell environment (e.g., Python, Joe, Irssi).

Note: Adding many packages will result in a longer start-up time for the add-on.

Option: init_commands

Customize your shell environment even more with the init_commands option. Add one or more shell commands to the list, and they will be executed every single time this add-on starts.

Option: i_like_to_be_pwned

Adding this option to the add-on configuration allows to you bypass the HaveIBeenPwned password requirement by setting it to true.

Note: We STRONGLY suggest picking a stronger/safer password instead of using this option! USE AT YOUR OWN RISK!

Option: leave_front_door_open

Adding this option to the add-on configuration allows you to disable authentication on the Web Terminal by setting it to true and leaving the username and password empty.

Note: We STRONGLY suggest, not to use this, even if this add-on is only exposed to your internal network. USE AT YOUR OWN RISK!

Embedding into Home Assistant

It is possible to embed the Web Terminal directly into Home Assistant, allowing you to access your terminal through the Home Assistant frontend.

Home Assistant provides the panel_iframe component, for these purposes.

Example configuration:

panel_iframe:
  terminal:
    title: Terminal
    icon: mdi:console
    url: https://addres.to.your.hass.io:7681

Known issues and limitations

  • The add-on fails to start when a password that is listed by HaveIBeenPwned is used. This is actually not a limitation, but a security feature.

  • My browser throws an ERR_SSL_PROTOCOL_ERROR. The OPEN WEB UI button only works when SSL is enabled.

  • When SFTP is enabled, the username MUST be set to root.

  • The following error may occur in your add-on log, and can be safely ignored:

    ERR: lws_context_init_server_ssl: SSL_CTX_load_verify_locations unhappy
    

Changelog & Releases

This repository keeps a change log using GitHub's releases functionality. The format of the log is based on Keep a Changelog.

Releases are based on Semantic Versioning, and use the format of MAJOR.MINOR.PATCH. In a nutshell, the version will be incremented based on the following:

  • MAJOR: Incompatible or major changes.
  • MINOR: Backwards-compatible new features and enhancements.
  • PATCH: Backwards-compatible bugfixes and package updates.

Support

Got questions?

You have several options to get them answered:

You could also open an issue here GitHub.

Contributing

This is an active open-source project. We are always open to people who want to use the code or contribute to it.

We have set up a separate document containing our contribution guidelines.

Thank you for being involved! 😍

Authors & contributors

The original setup of this repository is by Franck Nijhof.

For a full list of all authors and contributors, check the contributor's page.

We have got some Hass.io add-ons for you

Want some more functionality to your Hass.io Home Assistant instance?

We have created multiple add-ons for Hass.io. For a full list, check out our GitHub Repository.

License

MIT License

Copyright (c) 2017 Franck Nijhof

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.