add SSH key after provisioning to production device?

@PackElend, I can confirm that balena ssh <device-UUID> does not require adding a public ssh key to a device’s config.json file (regardless of whether it is running a production or development image of balenaOS), as long as the device can access balenaCloud (i.e. the device has access to the internet and no firewall is blocking its access to *.balena-cloud.com).

You should not need to use the ssh-key-insert script in order to use balena ssh <device-UUID>.

Where does balena-cli\bin>balena ssh <uuid> expect the PuTTY key > OpenSSH key to be stored as the -i flag is not working in the CLI?

I understand that PuTTY store SSH keys in the Windows Registry, but the balena CLI does not look for keys in the Windows Registry, and in this sense it is not compatible with PuTTY. (There may be a way of making it work with PuTTY, but it is not a documented/supported scenario.)

The balena CLI assumes the use of Microsoft’s built-in ssh client that ships with Windows 10 or later. (Microsoft introduced the built-in ssh client through a Windows 10 maintenance update in year 2018.)

I run --verbose what reveals that only %USERPROFILE%/.ssh/ is checked for the identity file .

Exactly. Your public and private ssh keys should be in that directory.

Here’s an example of how to generate the keys using PowerShell.

Confirm that ssh, ssh-keygen, ssh-add and ssh-agent are the Microsoft built-ins, rather than PuTTY’s:

PS C:\Users\paulo> Get-Command ssh | Format-Table -AutoSize
PS C:\Users\paulo> Get-Command ssh-add | Format-Table -AutoSize
PS C:\Users\paulo> Get-Command ssh-agent | Format-Table -AutoSize
PS C:\Users\paulo> Get-Command ssh-keygen | Format-Table -AutoSize

CommandType Name           Version Source
----------- ----           ------- ------
Application ssh.exe        8.1.0.1 C:\WINDOWS\System32\OpenSSH\ssh.exe
Application ssh-add.exe    8.1.0.1 C:\WINDOWS\System32\OpenSSH\ssh-add.exe
Application ssh-agent.exe  8.1.0.1 C:\WINDOWS\System32\OpenSSH\ssh-agent.exe
Application ssh-keygen.exe 8.1.0.1 C:\WINDOWS\System32\OpenSSH\ssh-keygen.exe

Generate a public/private key pair as follows. The most widely recommended key type nowadays appears to be Ed25519 (e.g. Microsoft guide and GitHub guide) as RSA is increasingly considered less secure, so:

PS C:\Users\paulo> ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (C:\Users\paulo/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\paulo/.ssh/id_ed25519.
Your public key has been saved in C:\Users\paulo/.ssh/id_ed25519.pub.
The key fingerprint is: ...

PS C:\Users\paulo> dir C:\Users\paulo\.ssh\
Mode      LastWriteTime       Length    Name
----      -------------       ------    ----
-a----    28/01/2022 16:39    464       id_ed25519
-a----    28/01/2022 16:39    104       id_ed25519.pub

PS C:\Users\paulo> type .\.ssh\id_ed25519.pub
ssh-ed25519 AAA... paulo@DESKTOP-3021L0B

Now copy the public key component (contents of the id_ed25519.pub file – output of the type command above) to the balenaCloud web dashboard: Preferences → SSH Keys → Add a new SSH key → Add key manually. (The contents of the Title field are just for your own reference and not used by the balena CLI.)

Something to double check: Ensure that you are using the same balenaCloud account (same username) when logging in to the web dashboard and when logging in to the balena CLI. Find the web dashboard username by clicking on your name at the top-right corner of the window – this raises a pop-up menu that shows the username. Check that the username matches against the output of the CLI’s balena whoami command.

Note re private key passphrase:
When ssh-keygen prompts you for a passphrase, it is good security practice to set one (not leaving it blank). Then, for convenience, to avoid having to type the private key’s passphrase every time you run balena ssh, run the ssh-agent service as per Microsoft’s guide. That is:

On a PowerShell prompt opened as Administrator:

PS C:\WINDOWS\system32> Get-Service ssh-agent | Set-Service -StartupType Manual
PS C:\WINDOWS\system32> Start-Service ssh-agent
PS C:\WINDOWS\system32> Get-Service ssh-agent

Status   Name               DisplayName
------   ----               -----------
Running  ssh-agent          OpenSSH Authentication Agent

On a PowerShell prompt opened as regular user:

PS C:\Users\paulo> ssh-add
Enter passphrase for C:\Users\paulo/.ssh/id_ed25519:
Identity added: C:\Users\paulo/.ssh/id_ed25519 (paulo@DESKTOP-3021L0B)

PS C:\Users\paulo> balena ssh aab9ad....
=============================================================
    Welcome to balenaOS
=============================================================
root@aab9ad3:~#

You should then only need to re-enter the passphrase when the workstation is rebooted.

Finally, regarding the following debugging output:

debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2

It is normal, not a problem. ssh’s debugging output seems to use the word “failed” whenever some configuration file doesn’t exist, even when harmless.