Controlling Ubiquiti U6-LR WiFi Access Point LED Colour in Home Assistant

Some of the newer access points from Ubiquiti feature an RGB status LED, normally used to indicate whether the access point is functioning correctly. Out of the box, Ubiquiti allow you to set a default colour of your choice through the Network application hosted on your controller. On the Ubiquiti community forms, user ‘iberoll’ asked if it was possible to set this colour through the command line. Another user discovered it was possible to programmatically change the colour by writing an numeric RGB value to /proc/ubnt_ledbar/custom_color

Being able to change the colour of the RGB LED is fun, but using the LED in a meaningful way, such as exposing it to Home Assistant to use as part of an automation, is much more useful.

Enabling SSH on the Access Point

The first stage is to enable SSH access to the access point. All screenshots and instructions are using the new UniFi interface. Open “Settings” then select “System” and scroll down the page to “Application Configuration”. Expand this and select “Device SSH Authentication” to open the SSH configuration options.

Toggle “Device SSH Authentication” to on and note the existing username and password or set your own. Finally, click “Apply Changes” to save these settings.

Using your SSH client of choice, you can now log in to the Access Point by connecting to it’s IP address and using the credentials specified above. Test that you are able to change the LED colour by issuing the following command to turn it red:

$ echo -n 255,0,0 > /proc/ubnt_ledbar/custom_color

Configuring Passwordless SSH Login

Home Assistant has an integration that will allow it to execute a script on the local machine. We can use this integration to connect via SSH to the access point and remotely change the LED colour. Interactive login with a username and password however is not possible, so we need to use an SSH Key instead.

SSH key pairs are two cryptographically secure keys that can be used to authenticate a client to an SSH server. Each key pair consists of a public key and a private key.

The private key is retained by the client and should be kept absolutely secret. Any compromise of the private key will allow the attacker to log into servers that are configured with the associated public key without additional authentication. As an additional precaution, the key can be encrypted on disk with a passphrase.

The associated public key can be shared freely without any negative consequences. The public key can be used to encrypt messages that only the private key can decrypt. This property is employed as a way of authenticating using the key pair.

The public key is uploaded to a remote server that you want to be able to log into with SSH. The key is added to a special file within the user account you will be logging into called ~/.ssh/authorized_keys.

When a client attempts to authenticate using SSH keys, the server can test the client on whether they are in possession of the private key. If the client can prove that it owns the private key, a shell session is spawned or the requested command is executed.

Source: How To Configure SSH Key-Based Authentication on a Linux Server | DigitalOcean

Generate the SSH Key

Access the Home Assistant CLI, either directly or via the use of the SSH Add-on. Generate a keypair by issuing the command

$ ssh-keygen -t rsa -b 2048

It will prompt to enter the location to save the file, hit enter to use the default location. It will now ask you to enter a passphrase. Again, hit enter to skip and confirm this by hitting enter a third time:

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.

The generated keys have been stored in the root directory, which is not considered to be persistent storage. To ensure the keys don’t get removed during an upgrade, they must be moved to the config folder.

Change to the config folder and generate a directory called .ssh in which to store the keys. Finally, move the keys you’ve just generated to this new folder.

$ cd /config
$ mkdir .ssh
$ cp /root/.ssh/* .ssh/

Push the SSH Key to the Access Point

You will now need the username and password configured on the Device SSH Authentication page of the UniFi Controller.

From the Home Assistant command line, issue the following, replacing USERNAME with the username specified previously and adjust the IP address to that of your Access Point.

 $ ssh-copy-id [email protected]

You will now be prompted to enter the password previously specified:

[email protected]'s password:

This will log into the access point, copy your public key, and configure it to allow access by adding it to the authorized_keys file.

You can check that it was successful by logging into the access point from the Home Assistant CLI:

$ ssh [email protected]

It should log you in without prompting for a password.

Access Point Firmware Upgrades and Reprovisioning

Note that if you apply a firmware upgrade or make any changes that cause the Access Point to reprovision, then the key may be wiped from it. You won’t need to go through the steps to regenerate the SSH Key, but you will need to push the key that already exists on your Home Assistant install using the instructions in the previous step. You may therefore find it useful to set up an automation to attempt to push the key on a regular basis.

Configuring the Shell Command Integration in Home Assistant

In order to call the scripts, they must be added to the configuration.yaml file as per the integration’s documentation. Home Assistant will look in the wrong place for the SSH Key, so the correct location must be specified with the -i flag. Below is an example of some pre-defined colours.

shell_command:
  u6lr_red: ssh -i /config/.ssh/id_rsa -o 'StrictHostKeyChecking=no' [email protected] 'echo -n 255,0,0 > /proc/ubnt_ledbar/custom_color'
  u6lr_green: ssh -i /config/.ssh/id_rsa -o 'StrictHostKeyChecking=no' [email protected] 'echo -n 0,255,0 > /proc/ubnt_ledbar/custom_color'
  u6lr_blue: ssh -i /config/.ssh/id_rsa -o 'StrictHostKeyChecking=no' [email protected] 'echo -n 0,0,255 > /proc/ubnt_ledbar/custom_color'
  u6lr_white: ssh -i /config/.ssh/id_rsa -o 'StrictHostKeyChecking=no' [email protected] 'echo -n 255,255,255 > /proc/ubnt_ledbar/custom_color'
  u6lr_off: ssh -i /config/.ssh/id_rsa -o 'StrictHostKeyChecking=no' [email protected] 'echo -n 0,0,0 > /proc/ubnt_ledbar/custom_color'

Once added, restart Home Assistant to trigger a re-read of the configuration file. The commands will be exposed as a callable service such as shell_command.u6lr_blue

You may also like...

2 Responses

  1. Karl says:

    Does not seem to work on the current U6-LR

    • Jamie says:

      Thanks to coronavirus related supply chain shortages, a number of Ubiquiti’s products have had their hardware revised. Sadly some of the more recently produced access points that previously had RGB LEDs in them now just have blue and white LEDs to save on a silicon package. No idea if this is just a temporary solution or will be a more permanent change.

Leave a Reply

Your email address will not be published. Required fields are marked *