connecting to a local device using balena ssh

Product support
1

I have a device with a development image with local mode turned on. When a try to ssh into it using balena ssh <<IP address>> or balena ssh <<random>>.local I get the following message:

SSH: Process exited with non-zero status code "255"

Are the SSH keys correctly configured in balenaCloud? See:
https://www.balena.io/docs/learn/manage/ssh-access/#add-an-ssh-key-to-balenacloud
Are you accidentally using `sudo`?

I tried to follow the ssh-access guide by adding my public key but things still aren’t working. Do I need to have an ssh key to connect in local mode?

When I try to log in directly without the balena cli using just ssh and port 22222 I get the following message

Unable to negotiate with <<ip_address>> port 22222: no matching host key type found. Their offer: ssh-rsa

I generated my ssh key using the guide recommended here: SSH access - Balena Documentation

so,

ssh-keygen -t ed25519 -C "your_email@example.com"
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_<<random>>

I also tried adding a key for legacy systems but that also didn’t work.

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
2

Hello @pateco welcome to the balena community!

Maybe this is a naive question, but did you add your ssh key on balenaCloud?

4

I think I did. I chose to manually upload it instead of using github. This is what the form looked like before I submitted, and I can see it listed in my account preferences SSH Keys tab. But should I need an SSH key for local development?

image
image1901×1163 69.4 KB

This page mentions that

Note: If an IP address or a .local hostname is used (instead of a fleet name or device UUID), balena ssh establishes a direct connection to the device on port 22222 that does not rely on cloudlink.

If I run balena ssh [UUID of device] then it works. But I want to connect locally to hopefully reduce lag.

This is the output with the verbose option

balena ssh 4bb5b53.local --verbose
OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolving "4bb5b53.local" port 22222
debug3: resolve_host: lookup 4bb5b53.local:22222
debug3: ssh_connect_direct: entering
debug1: Connecting to 4bb5b53.local [10.4.4.194] port 22222.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/pateco/.ssh/id_rsa type 0
debug1: identity file /home/pateco/.ssh/id_rsa-cert type -1
debug1: identity file /home/pateco/.ssh/id_ecdsa type -1
debug1: identity file /home/pateco/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/pateco/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/pateco/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/pateco/.ssh/id_ed25519 type 3
debug1: identity file /home/pateco/.ssh/id_ed25519-cert type -1
debug1: identity file /home/pateco/.ssh/id_ed25519_sk type -1
debug1: identity file /home/pateco/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/pateco/.ssh/id_xmss type -1
debug1: identity file /home/pateco/.ssh/id_xmss-cert type -1
debug1: identity file /home/pateco/.ssh/id_dsa type -1
debug1: identity file /home/pateco/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
debug1: Remote protocol version 2.0, remote software version dropbear_2017.75
debug1: compat_banner: no match: dropbear_2017.75
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 4bb5b53.local:22222 as 'pateco'
debug3: put_host_port: [4bb5b53.local]:22222
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: no algorithms matched; accept original
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,kexguess2@matt.ucc.asn.au
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-ctr,aes256-ctr
debug2: ciphers stoc: aes128-ctr,aes256-ctr
debug2: MACs ctos: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5
debug2: MACs stoc: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5
debug2: compression ctos: zlib@openssh.com,none
debug2: compression stoc: zlib@openssh.com,none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: (no match)
Unable to negotiate with 10.4.4.194 port 22222: no matching host key type found. Their offer: ssh-rsa
SSH: Process exited with non-zero status code "255"

Are the SSH keys correctly configured in balenaCloud? See:
https://www.balena.io/docs/learn/manage/ssh-access/#add-an-ssh-key-to-balenacloud
Are you accidentally using `sudo`?
7

Hi there, I was able to do balena ssh <UUID>.local on a device set to local mode here (the device is on the same network as the machine that I’m SSH’ing from) and it worked fine. My CLI version is 14.3.0 (not the most recent, but quite recent I think)

Have you got the corresponding private key set up on your machine?

8

However if you are using a development mode image, keyless access locally should be enabled by default. For example, I can ssh into my local development mode device using:

ssh root@IP_ADDRESS -p 22222

This will directly ssh into the device without any involvement of balena cloud, while the balena ssh will try to authenticate via balena cloud