Reboot/Shutdown Linux Machines with Home Assistant (with Restricted SSH Access)

Running remote power actions from Home Assistant is convenient, but giving full sudo access can feel risky. By using SSH keys, a dedicated user account, and carefully limited permissions, you can safely shut down or reboot Linux machines from your dashboard. This guide explains how to set up the SSH key in Home Assistant, restrict a Linux user to only the actions you allow, and connect everything with simple command-line switches so your automations remain safe.

Prerequisites:

• Home Assistant installed with shell access (via Terminal & SSH add-on or host console).
• A Linux machine (e.g., Raspberry Pi or PC) with SSH enabled and sudo privileges available.
• Basic familiarity with YAML configuration in Home Assistant.

1. Generate an SSH Key Pair in Home Assistant

On your Home Assistant instance, create a secure SSH key pair for authentication. We'll use Ed25519 for modern security and efficiency.
Run these commands in the Home Assistant terminal:

mkdir -p /config/ssh_keys
ssh-keygen -t ed25519 -f /config/ssh_keys/id_ed25519_homeassistant -C "homeassistant remote control"
chmod 600 /config/ssh_keys/id_ed25519_homeassistant

• This generates a private key (id_ed25519_homeassistant) and a public key (id_ed25519_homeassistant.pub).
• The -C flag adds a comment for identification.
• chmod 600 ensures only the owner can read the private key.

Copy the public key contents for use in Step 3:

cat /config/ssh_keys/id_ed25519_homeassistant.pub

2. Create a Dedicated User on the Linux Machine

On the target Linux machine, create a restricted user account for Home Assistant.

sudo useradd -m -s /bin/bash homeassistant

• -m creates a home directory (/home/homeassistant).
• -s /bin/bash sets the default shell.

Add the user to the sudo group for elevated privileges (we'll restrict these in Step 4):

sudo usermod -aG sudo homeassistant

3. Configure SSH Access for the New User

sudo -u homeassistant mkdir -p /home/homeassistant/.ssh
sudo -u homeassistant chmod 700 /home/homeassistant/.ssh
sudo -u homeassistant touch /home/homeassistant/.ssh/authorized_keys
sudo -u homeassistant chmod 600 /home/homeassistant/.ssh/authorized_keys

Append the Home Assistant public key (from Step 1) to authorized_keys. Replace <PUBLIC_KEY> with the full output from cat:

sudo -u homeassistant tee -a /home/homeassistant/.ssh/authorized_keys > /dev/null << 'EOF'
<PUBLIC_KEY>
EOF

Validate the SSH daemon configuration and reload it:

sudo sshd -t
sudo systemctl reload ssh

4. Restrict sudo Privileges

To prevent the homeassistant user from executing arbitrary commands, limit sudo to only power management binaries. Edit the sudoers file safely:

sudo visudo

Add this line at the end of the file:

homeassistant ALL=(ALL) NOPASSWD: /sbin/poweroff, /sbin/reboot, /sbin/shutdown

• NOPASSWD: allows execution without a password prompt.
• This restricts the user to only these commands (and their aliases/symlinks, like shutdown -h now).
• Save and exit

Validation: Test with sudo -u homeassistant sudo -l to confirm only the allowed commands appear.

5. Test SSH Access and Commands

Before integrating with Home Assistant, verify connectivity and permissions. From the Home Assistant terminal, run:

ssh -i /config/ssh_keys/id_ed25519_homeassistant -o StrictHostKeyChecking=no homeassistant@<linux-machine-ip> sudo reboot

• Replace <linux-machine-ip> with your machine's IP (e.g., 192.168.1.100).
• -o StrictHostKeyChecking=no skips host key verification for initial setup
• This should reboot the machine without errors. Monitor via ping or console to confirm.

If it fails:

• Check firewall rules (e.g., ufw allow from <ha-ip> to any port 22).
• Ensure the private key path is correct and permissions are 600.

6. Add Shutdown and Reboot Switches in Home Assistant

Use Home Assistant's command-line switch integration for toggleable controls. These switches reflect the machine's availability (via ping) and trigger actions when toggled off—logical for "power off" semantics.

First, ensure command_line: is included in your configuration.yaml:

command_line: !include command_line.yaml

Create or edit /config/command_line.yaml and add:

- switch:
  - name: Linux Machine Shutdown
    command_off: 'ssh -i /config/ssh_keys/id_ed25519_homeassistant -o StrictHostKeyChecking=no homeassistant@<linux-machine-ip> sudo shutdown -h now'
    command_state: 'ping -c 1 <linux-machine-ip> > /dev/null 2>&1 && echo "on" || echo "off"'
    value_template: '{{ value == "on" }}'
    scan_interval: 60
    icon: >
      {% if is_state('switch.linux_machine_shutdown', 'on') %}
        mdi:power
      {% else %}
        mdi:power-off
      {% endif %}
  - name: Linux Machine Reboot
    command_off: 'ssh -i /config/ssh_keys/id_ed25519_homeassistant -o StrictHostKeyChecking=no homeassistant@<linux-machine-ip> sudo reboot'
    command_state: 'ping -c 1 <linux-machine-ip> > /dev/null 2>&1 && echo "on" || echo "off"'
    value_template: '{{ value == "on" }}'
    scan_interval: 60
    icon: >
      {% if is_state('switch.linux_machine_reboot', 'on') %}
        mdi:restart
      {% else %}
        mdi:restart-alert
      {% endif %}

Reload the Command Line integration (Settings > Devices & Services > Integrations > Command Line > Reload) or restart Home Assistant. The switches will appear in your dashboard under Switches.

Wake-on-LAN (Optional): If your Linux machine supports Wake-on-LAN (WOL), integrate Home Assistant's native Wake on LAN integration for a more robust power-on experience. This avoids relying on external binaries like wakeonlan and uses a dedicated service call.