Hi there – thanks for your question. If I understand you correctly, you are using a development version of balenaOS. As you’ve found, this allows easy access to the device through passwordless login and other means. This is by design: the use case for the development version of balenaOS is quick prototyping in a trusted network (such as a your home LAN) during development or troubleshooting. This makes development easy, but of course (as you’ve found) it also makes the device less secure.
We do not recommend that you use the development version of balenaOS for production devices; instead, we strongly recommend the use of the production version of balenaOS. The production version of balenaOS does not have these methods of logging in enabled. The full set of differences is outlined here, but the short version is:
- Production images do not allow password-less root access
- SSH keys must be added to the device to allow direct SSH access
- Virtual consoles are disabled
More detail can be found at that link; I would also recommend reading our page on the security of balena devices.d
You can, of course, skip using the development version of balenaOS during the prototyping phase if that suits your needs better; it may make development a bit slower, but it’s perfectly possible.
I hope this helps. Please let us know if you have any other questions.
All the best,