Skip to content

Feature/ssh server#92

Open
heman22union wants to merge 3 commits into
heytcass:mainfrom
heman22union:feature/ssh-server
Open

Feature/ssh server#92
heman22union wants to merge 3 commits into
heytcass:mainfrom
heman22union:feature/ssh-server

Conversation

@heman22union

Copy link
Copy Markdown

Summary

Adds an opt-in SSH server so you can connect to the addon container directly from VS Code Remote, a Mac terminal, or any SSH client — without going through the web terminal.

Three new options:

  • enable_ssh — toggle, default false
  • ssh_port — port to listen on, default 2222 (also exposed in addon port mappings)
  • ssh_authorized_keys — list of public keys; password authentication is disabled

Usage

  1. Enable enable_ssh: true in addon config
  2. Paste your public key (cat ~/.ssh/id_ed25519.pub) into ssh_authorized_keys
  3. Map port 2222 in the addon's Network settings
  4. Connect: ssh root@<ha-ip> -p 2222
  5. Attach to the running Claude session: ssh root@<ha-ip> -p 2222 -t "tmux attach -t claude"

Implementation notes

  • SSH host keys are persisted under $ANTHROPIC_HOME/ssh/ (which respects claude_data_path if set) so your SSH client won't warn about key changes on container restart
  • authorized_keys is written to $HOME/.ssh/authorized_keys — correctly follows claude_data_path if configured
  • bashio::config returns a raw string for single-item lists rather than a JSON array — the key writing handles both cases
  • Password authentication is disabled; public key only

Test plan

  • Addon starts normally with enable_ssh: false (default) — no sshd running
  • Enabling SSH with a valid public key allows connection on configured port
  • Host keys persist across container restarts (no SSH client key-change warnings after first connect)
  • Password authentication is rejected
  • tmux attach -t claude over SSH attaches to the running Claude session
  • Works correctly alongside claude_data_path set to a non-default path

heman and others added 3 commits April 22, 2026 08:24
Adds an enable_ssh toggle (default off) that starts an OpenSSH server
inside the container, allowing direct SSH access from VS Code, Mac
terminal, or any SSH client.

- enable_ssh: toggle (default false)
- ssh_port: port to listen on (default 2222, exposed in addon ports)
- ssh_authorized_keys: list of public keys; password auth disabled
- host keys persisted in /data/ssh/ so client doesn't warn on restart

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…rized_keys

bashio::config returns a raw string for single-item lists, not a JSON
array. Detect the type and handle both cases.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
lcoppenr added a commit to lcoppenr/home-assistant-addons that referenced this pull request Jun 7, 2026
Based on heman22union's PR heytcass#92 (heytcass#92).

Adds opt-in SSH server with pubkey-only authentication:
- enable_ssh toggle (default false)
- ssh_port config (default 2222)
- ssh_authorized_keys list
- Persistent host keys in $ANTHROPIC_HOME/ssh/

Hardening applied on top of PR heytcass#92:
- PermitRootLogin prohibit-password (was: yes)
- KbdInteractiveAuthentication no
- UsePAM no
- X11Forwarding no
- MaxAuthTries 3
- LoginGraceTime 30
- Explicit chmod 600 on host key private files
- Warning when SSH enabled but no authorized keys configured

Version bumped to 2.2.3.
lcoppenr added a commit to lcoppenr/home-assistant-addons that referenced this pull request Jun 7, 2026
Based on heman22union's PR heytcass#92 (heytcass#92).

Adds opt-in SSH server with pubkey-only authentication:
- enable_ssh toggle (default false)
- ssh_port config (default 2222)
- ssh_authorized_keys list
- Persistent host keys in $ANTHROPIC_HOME/ssh/

Hardening applied on top of PR heytcass#92:
- PermitRootLogin prohibit-password (was: yes)
- KbdInteractiveAuthentication no
- UsePAM no
- X11Forwarding no
- MaxAuthTries 3
- LoginGraceTime 30
- Explicit chmod 600 on host key private files
- Warning when SSH enabled but no authorized keys configured

Version bumped to 2.2.3.
lcoppenr added a commit to lcoppenr/home-assistant-addons that referenced this pull request Jul 8, 2026
Based on heman22union's PR heytcass#92 (heytcass#92).

Adds opt-in SSH server with pubkey-only authentication:
- enable_ssh toggle (default false)
- ssh_port config (default 2222)
- ssh_authorized_keys list
- Persistent host keys in $ANTHROPIC_HOME/ssh/

Hardening applied on top of PR heytcass#92:
- PermitRootLogin prohibit-password (was: yes)
- KbdInteractiveAuthentication no
- UsePAM no
- X11Forwarding no
- MaxAuthTries 3
- LoginGraceTime 30
- Explicit chmod 600 on host key private files
- Warning when SSH enabled but no authorized keys configured

Version bumped to 2.2.3.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant