open-balena is used in the backend.
I can login and get information about a specific devices using balena-cli :
$ balena device 79a1dd9
== HIDDEN SKY
ID: 8
DEVICE TYPE: imx6ul-var-dart
STATUS: idle
IS ONLINE: true
APPLICATION NAME: imx6ulApp
UUID: 79a1dd9c1bacdc79661d1afd31e7c52b
COMMIT: fc2e2716d8c8913ae434a0f05f9ed713
SUPERVISOR VERSION: 8.6.3
OS VERSION: balenaOS 2.28.0+rev2
DASHBOARD URL: https://dashboard.mydomain.com/devices/79a1dd9c1bacdc79661d1afd31e7c52b/summary
But when try to ssh to host BalenaOS :
$ balena ssh 79a1dd9 -s
Connecting to: 79a1dd9 root@ssh.devices.mydomain.com: Permission denied (publickey).
Use the development version, login and take a look at authorized keys on device:
$ vi ~/.ssh/authorized_keys_remote
It will be empty Iâm pretty sure. I have this exact same issue and am trying to work what key should be included and at what point it should be created on the open-balena host, and how it is added to device.
I suspect the authorised pub key that needs to be added is from the open balena host but it is unclear if this needs to be generated manually or exists after executing setup script to create certificates etc.
Hopefully open balena team will be back from holidays soon and be able to shed more light on this.
Just a little further background on this. I have tried adding SSH key with:
$ balena key add Main ~/.ssh/id_rsa.pub
BalenaRequestError: Request error: Unauthorized
Also listing keys doesnât work with:
$ balena keys
BalenaRequestError: Request error: Internal Server Error
Other cli commands for listing devices, viewing logs, and modifying applications are working with this openBalena instance.
This might be a bigger issue than I thought. Can probably work out how to manually add a key to the right spot, will let you know if I work it out @rlev .
In the meantime this will probably have to wait for a patch along with all of the other cli issues when using openBalena instance.
if you use the production version, you can mount the balena.img with losetup -P
the mount rw the resin-boot volume, add your key to the file config.json.
Having seen activity in this thread⌠I understand that:
The approach described by Pietro (adding a ssh key to the config.json file) would allow âstandard sshâ (rather than âbalena sshâ) to work. The sshKeys entry in config.json is described on this page: https://github.com/balena-os/meta-balena/#sshkeys
The "balena key", "balena keys" and "balena ssh" commands donât currently work with openBalena. See this other forum thread for further advice on how to ssh to devices on openBalena: HowTo: SSH into host device
Check that the SSH key has been uploaded to balena (Preferences -> SSH keys). Take a copy of the key.
Check that the public key file ~/.ssh/id_rsa.pub exists, and has the same contents as the uploaded key from check 1.
Check that you have a private key file ~/.ssh/id_rsa which corresponds to the public key you checked in check 2.
This got balena ssh working for me on MacOS. (The key creation command is ssh-keygen -t rsa)
@PackElend, the public key, yes. Balena only ever needs to have the public key. The private key stays in your workstation, ~/.ssh/ directory.
I trying balena-io-playground/ssh-key-insert
To help diagnose the issue, try enabling sshâs verbose output. Edit the run.sh script: Where it reads âbalena sshâ, replace it with âbalena ssh -vâ.
Another thing you may want to double check is that you are using the same balenaCloud account (same username) when logging in to the web dashboard (through which you added the public SSH key(s)) and when logging in to the balena CLI. Check that the output of the balena whoami command matches the balenaCloud web dashboard username: On the web dashboard, click your name at the top-right corner of the window to raise a pop-up menu that shows your username.
Note that it is not necessary to use the ssh-key-insert script and it is not necessary to add ssh keys to the config.json file in order to use the balena ssh <device-UUID> command, regardless of whether the device is running a production or development variant of balenaOS.
Additional, custom ssh keys added to the config.json file through the ssh-key-insert script (or by manually editing it) allow the balenaCloud proxy backend to be bypassed and a standalone ssh client to be used (instead of the balena CLI) to establish a direct ssh connection from a userâs workstation to a device running a production variant of balenaOS, using the deviceâs IP address or hostname as the ssh target and ârootâ as the ssh username. This may be useful, for example, if the device loses access to the internet (perhaps on a schedule) but a workstation is on the same local network as the device (same WiFi access point or Ethernet switch).
Note: this answer was edited to clarify the scenario in which the ssh-key-insert may be useful.
For information, balena CLI v13.3.0 or later also allows balena ssh <device-ip-address> to be used with production variants of balenaOS without the need of adding a ssh key to the config.json file. This requires the device to be running balenaOS v2.44.0 or later. The combinations are:
Command
balenaOS (dev)
balenaOS (prod) < v2.44.0
balenaOS (prod) >= v2.44.0
balena ssh <device-UUID>
OK
OK
OK
balena ssh <device-ip-address>
OK
SSH key needs to be added to config.json
OK (CLI v13.3.0 or later)
Also for information, on Windows, note that the balena CLI makes use of the Microsoftâs built-in ssh client that ships with Windows 10 or later. It is not compatible with PuTTY. Check the following answer for more details: add SSH key after provisioning to production device? - #10 by pdcastro
