How to disable local ssh on balena OS

Hello, I would like to disable sshd all together on my devices running the Balena OS. I’ve read through the docs but I couldn’t find a way to disable sshd from balenaEngine or API. I’ve tried killing the sshd.socket which disabled the ssh access on my device, but I was wondering if there is a way to do this using balenaEngine or API, or maybe something in the config.json?

1 Like

Hello @ajalal welcome to the balena community!

I think this is not possible on balena. Nevertheless I asked internally to see if there is a way to do it or a feature we can add.

Could you please let us know more about your use case on why do you need to disable local ssh access on your devices? Thanks

For security purposes, we keep ssh disabled on our devices is much as we can. Although it might sound weird, but it’s considered low risk when put on pen testing. So it’s not bad, but part of our requirements to have ssh disabled unless we tell it to wake up.

Hi, on production mode only SSH key based authentication is allowed. However, disabling SSH is not possible and has not been discussed as it is a core component in balenaCloud as a remote management platform.

is it normal for the public ui to publicise post 22 as open?

Hi, could you expand on what you mean by ‘publicise port 22 as open’?

Just to clarify - we don’t use port 22 for ssh, and for production OS images we make it a requirement to have keys setup beforehand. Development OS images allow password less access over ssh - but they are meant for development only. Let us know what more clarifications you’d like about ssh and balena