BalenOS root access concern via SSH


Apologies, this is a very beginner question, I’m thinking it has more to do with the nature of SSH but I felt it would be appropriate to ask it here.

I’ve just discovered balenaOS and I’m looking to start my first homelab with an image on my Raspberry Pi 4 to run Nextcloud and some other services for my home.

Following the docs, I can ssh into my remote pi without issue using the following:

balena ssh <host name here>.local

However, I’ve discovered I can also tunnel into my pi with:

ssh -p 22222 root@<IP address here>

As I can’t create a root password, does this mean that root access to my homelab is available to anyone so long as it is connected to the Internet? I have not enabled any port forwarding on my router, but I would still prefer to harden access to my pi in case someone connects to my Wi-Fi. As per the instructions, I’m using the Development build for balenaOS, I’m not sure if the Production build would change things in this regard.

To answer my own question, turns out it is exactly because I’m using the Development build for balenaOS. I found this thread that helped me realize that.

Glad that you were able to find the solution and share it with others! For future reference, this is our documentation regarding SSH access, where we detail the differences between development and production images: SSH access - Balena Documentation

More specifically, this part: "When the username is root, production variants of balenaOS perform authentication against public SSH keys previously added to the device’s config.json file, sshKeys section. When the username matches a valid balenaCloud user account, authentication is also performed against that user’s public SSH keys stored in balenaCloud (this feature requires balenaOS v2.44.0 or later). The username can be found in the profile or preferences section of the web dashboard, or with the balena whoami CLI command.

Development variants of balenaOS allow unauthenticated access and should never be directly exposed to the public internet. "

1 Like