Remove empty password login for root from balenaOS dev image

I know, dumb question, I should use the production image - for a lot of good reasons.
But sometimes you need to deploy fast and then have a hard time redeploying so…
Any idea on how to remove the “login as root via ssh without password?”
I deployed an ssh key within config.json and I can login with that as root, hence I wanted to remove the password based login.

Cheers

Nico

Hi @nmaas87,

Thanks for the feedback! Generally the recommended way to go when developing is to develop your application on an OS dev image, then deploy onto a production OS image. For your case, since you’re trying to access root faster without a password and/or remove the password, here’s a thread which might interest you: How to set up passwordless SSH access for root user - Ask Ubuntu

Also, you mentioned deploying an SSH key within config.json. You can also do so from the dashboard, which might be faster for you. See: SSH access - Balena Documentation

Let us know how it goes!

Regards,
Christina

1 Like

Thank you Christina for your friendly answer, but I did a really bad job asking what I actually wanted.
You’re absolutly right, I should use the production image, but… yeah.
I currently have a dev image rolled out in a local instance (without internet access or balenaCloud), added my ssh key to it and it works perfectly.
However, given the nature of the dev images, you can login with the user root and no password at all - even if you added an ssh key.
Now that I have a working ssh key in it, i want to remove the option to not be able to login with a the empty password for root, but only with root and my ssh key :slight_smile:
Do you have an idea on how to get it working?

I tried following:

# remount to rw
mount -oremount,rw /
# open sshd server config
vi /etc/ssh/sshd_config
# do not allow password auth and do not allow empty passwords
PasswordAuthentication no
PermitEmptyPasswords no
# restart sshd server
systemctl restart system-sshd.slice

this did not help, so I rebooted - and still could access the RPi via ssh on port 22222 with root and no password…

Any ideas :)?

Hi there, this behaviour is by design on dev images. Please change to a production image to have password authentication in SSH disabled.

1 Like

Thanks Anton, while from a methodological standpoint you’re absolutely correct (one should not deploy on dev images in the field), this does not help at my current undertaking of at least securing a two deployed units which are not physically accessible. I am going to mark your answer as solution so this does not appear anymore on belanas staff screen and gonna see myself how I can hack it together.

Did you come up with a solution for this, Nico? To date we’ve ruled out Balena for our application because of this design decision. (We need to support rapid network-interactive design modifications for testing purposes on a small subset of field devices, and it’s not feasible to complete isolate the network)

2 Likes

Hey @Philr - I have to admit, I did not yet have time for this - workload is through the roof, sadly.
I can completely understand your point, but I can assure you that this is not an issue.
For my use-case I need to work in completely isolated networks, with only the possibility to allow for some ports going in and no internet, so balenaCloud is out of question.
In this case, the correct way would be to use balenaOS straight from the balenaOS website as production image. You just need to flash the SD card, mount it on your PC before first boot of the device(!) and then add your SSH Key to the config.json in the boot folder.
Then you can boot the device and ssh into the device - which is now secured with root user via TCP port 22222 - but with your SSH key.
This also would be how I would have solved it, but I was in an extreme hurry, so I could not take care of this issue and now have development type images deployed in the field - so I was thinking about this hack. But to tbe honest, the images are already old now and I should just redeploy with the described scenario to make it “correct”. But… yeah, this is another pain for another day :wink: .
I hope I could help you a bit? If not, just ask away.

Cheers

1 Like