Centralised SSH key management

I want to find a way to ssh in to production devices without having to add ssh keys to the config.json file each time, having some kind of central ssh key management.
From what I have found so far that would work well is using a signing authority to sign an ssh key, setting the TrustedUserCAKeys to a public key of a signing authority in the sshd_config file.

Is there any way to change the sshd_config on a production device so that I could add my own signing authority pub key?

Hi @mamoen,
First off to further understand what this would involve I relied on this guide to understand how CA certs could be used with ssh.

You could indeed edit:
/etc/ssh/sshd_config
First, you would need to remount the root file system: / with mount -o remount,rw /
See this for more information on why you need that.

But we have a problem. I am fairly certain this file would get overwritten during Hostos upgrades. If you want to continue with this solution I would recommend a container that lives on the device that is strictly responsible for checking the sshd_config and adding the key and the setting to the config as needed. That way even after a Hostos update restart your configuration will fix itself. Since it’s only a public key I don’t see much risk of having a container add it to the HostOS other than that being another privileged container.

Secondly, though, have you looked into the solution offered by Balena Tunnel or the Balena cli ssh instance? That way you don’t need any keys on the device just Balena Cloud accounts authorized to access the device.

See:

If you want to use your own client or even something like scp or rsync you could use Balena Tunnel.

Let me know what you think and if any of these solutions are what you are looking for.

-Thomas

@mamoen was was your solution for this? I’m facing exactly the same issue

@tacLog I’ve been using tunnel + ssh combo but it’s slower than direct ssh and, this is more critical, it depends on balena’s infra. It happened more than once to me that balena was having some issues and I needed to access the device.

Wishful thinking It would awesome to be able edit the config.json via Balena’s web page. This way it would be super easy to add/revoke ssh keys according to our needs. Something even more advanced: SSH key management per fleet where the keys would be propagated to all the devices.

Hello @AndreMaz maybe it’s a good idea to suggest a feature you would like to see and upvote features that you would like us to prioritize on the balena roadmap.

Yep, just saw this SSH Key management in BalenaCloud · Balena Roadmap and already voted

Kudos for great initiative! Voting system is really cool

Thanks for adding the feature request!
We never found a solution outside of manually adding keys to config.json, it’s quite painful and has had an impact on development Issue with SSH Access in Development Mode on Balena Devices - #3 by mpous