@PackElend, I can confirm that
balena ssh <device-UUID> does not require adding a public ssh key to a device’s
config.json file (regardless of whether it is running a production or development image of balenaOS), as long as the device can access balenaCloud (i.e. the device has access to the internet and no firewall is blocking its access to
You should not need to use the
ssh-key-insert script in order to use
balena ssh <device-UUID>.
balena-cli\bin>balena ssh <uuid> expect the
PuTTY key > OpenSSH key to be stored as the
-i flag is not working in the CLI?
I understand that PuTTY store SSH keys in the Windows Registry, but the balena CLI does not look for keys in the Windows Registry, and in this sense it is not compatible with PuTTY. (There may be a way of making it work with PuTTY, but it is not a documented/supported scenario.)
The balena CLI assumes the use of Microsoft’s built-in ssh client that ships with Windows 10 or later. (Microsoft introduced the built-in ssh client through a Windows 10 maintenance update in year 2018.)
--verbose what reveals that only
%USERPROFILE%/.ssh/ is checked for the
identity file .
Exactly. Your public and private ssh keys should be in that directory.
Here’s an example of how to generate the keys using PowerShell.
ssh-agent are the Microsoft built-ins, rather than PuTTY’s:
PS C:\Users\paulo> Get-Command ssh | Format-Table -AutoSize
PS C:\Users\paulo> Get-Command ssh-add | Format-Table -AutoSize
PS C:\Users\paulo> Get-Command ssh-agent | Format-Table -AutoSize
PS C:\Users\paulo> Get-Command ssh-keygen | Format-Table -AutoSize
CommandType Name Version Source
----------- ---- ------- ------
Application ssh.exe 188.8.131.52 C:\WINDOWS\System32\OpenSSH\ssh.exe
Application ssh-add.exe 184.108.40.206 C:\WINDOWS\System32\OpenSSH\ssh-add.exe
Application ssh-agent.exe 220.127.116.11 C:\WINDOWS\System32\OpenSSH\ssh-agent.exe
Application ssh-keygen.exe 18.104.22.168 C:\WINDOWS\System32\OpenSSH\ssh-keygen.exe
Generate a public/private key pair as follows. The most widely recommended key type nowadays appears to be Ed25519 (e.g. Microsoft guide and GitHub guide) as RSA is increasingly considered less secure, so:
PS C:\Users\paulo> ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (C:\Users\paulo/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\paulo/.ssh/id_ed25519.
Your public key has been saved in C:\Users\paulo/.ssh/id_ed25519.pub.
The key fingerprint is: ...
PS C:\Users\paulo> dir C:\Users\paulo\.ssh\
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 28/01/2022 16:39 464 id_ed25519
-a---- 28/01/2022 16:39 104 id_ed25519.pub
PS C:\Users\paulo> type .\.ssh\id_ed25519.pub
ssh-ed25519 AAA... paulo@DESKTOP-3021L0B
Now copy the public key component (contents of the
id_ed25519.pub file – output of the
type command above) to the balenaCloud web dashboard: Preferences → SSH Keys → Add a new SSH key → Add key manually. (The contents of the Title field are just for your own reference and not used by the balena CLI.)
Something to double check: Ensure that you are using the same balenaCloud account (same username) when logging in to the web dashboard and when logging in to the balena CLI. Find the web dashboard username by clicking on your name at the top-right corner of the window – this raises a pop-up menu that shows the username. Check that the username matches against the output of the CLI’s
balena whoami command.
Note re private key passphrase:
ssh-keygen prompts you for a passphrase, it is good security practice to set one (not leaving it blank). Then, for convenience, to avoid having to type the private key’s passphrase every time you run
balena ssh, run the
ssh-agent service as per Microsoft’s guide. That is:
On a PowerShell prompt opened as Administrator:
PS C:\WINDOWS\system32> Get-Service ssh-agent | Set-Service -StartupType Manual
PS C:\WINDOWS\system32> Start-Service ssh-agent
PS C:\WINDOWS\system32> Get-Service ssh-agent
Status Name DisplayName
------ ---- -----------
Running ssh-agent OpenSSH Authentication Agent
On a PowerShell prompt opened as regular user:
PS C:\Users\paulo> ssh-add
Enter passphrase for C:\Users\paulo/.ssh/id_ed25519:
Identity added: C:\Users\paulo/.ssh/id_ed25519 (paulo@DESKTOP-3021L0B)
PS C:\Users\paulo> balena ssh aab9ad....
Welcome to balenaOS
You should then only need to re-enter the passphrase when the workstation is rebooted.
Finally, regarding the following debugging output:
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
It is normal, not a problem. ssh’s debugging output seems to use the word “failed” whenever some configuration file doesn’t exist, even when harmless.