Centralised SSH key management

I want to find a way to ssh in to production devices without having to add ssh keys to the config.json file each time, having some kind of central ssh key management.
From what I have found so far that would work well is using a signing authority to sign an ssh key, setting the TrustedUserCAKeys to a public key of a signing authority in the sshd_config file.

Is there any way to change the sshd_config on a production device so that I could add my own signing authority pub key?

Hi @mamoen,
First off to further understand what this would involve I relied on this guide to understand how CA certs could be used with ssh.

You could indeed edit:
First, you would need to remount the root file system: / with mount -o remount,rw /
See this for more information on why you need that.

But we have a problem. I am fairly certain this file would get overwritten during Hostos upgrades. If you want to continue with this solution I would recommend a container that lives on the device that is strictly responsible for checking the sshd_config and adding the key and the setting to the config as needed. That way even after a Hostos update restart your configuration will fix itself. Since it’s only a public key I don’t see much risk of having a container add it to the HostOS other than that being another privileged container.

Secondly, though, have you looked into the solution offered by Balena Tunnel or the Balena cli ssh instance? That way you don’t need any keys on the device just Balena Cloud accounts authorized to access the device.


If you want to use your own client or even something like scp or rsync you could use Balena Tunnel.

Let me know what you think and if any of these solutions are what you are looking for.