HowTo: SSH into host device

Hi,

This is just a quick guide on gaining SSH access to a host device with your openBalena setup. I can confirm that this works with both development and production balenaOS images, but for production images you must make sure that your SSH key is included in the config.json of the device’ boot partition. More information on that can be found here.

You are going to need a system tool called proxytunnel to do this, and I have only tested this on an Ubuntu system personally. I am assured that the process will work on macOS too, but how you get proxytunnel installed is outside the scope of this post.

$ sudo apt install proxytunnel
$ proxytunnel -V
proxytunnel 1.9.0 (rev 242) Copyright 2001-2008 Proxytunnel Project

Then you should use the balena CLI tool to create an API key for your account:

$ balena api-key generate proxytunnel

Registered api key 'proxytunnel':

sbdfvjhsbvvbliBLJHblJHBlJHBljhBY

This key will not be shown again, so please save it now.

This key will be required, so make a note of it. Now it’s time to configure SSH to use proxytunnel to connect to the balena VPN tunnelling service on your openBalena instance:

$ nano ~/.ssh/config

Host *.balena
  ProxyCommand proxytunnel -p vpn.<your openBalena domain>:3128 -d %h:22222 -F ~/.ssh/balena-ssh
  ServerAliveInterval 30

Substitute the domain as appropriate. Now create the permissions file:

$ nano ~/.ssh/balena-ssh

proxy_user=root
proxy_passwd=sbdfvjhsbvvbliBLJHblJHBlJHBljhBY

Make sure the permissions on this file are acceptable:

$ chmod 600 ~/.ssh/balena-ssh

You are ready to go, to connect you will need the full UUID of the device, and you should use it like so:

$ ssh root@<full UUID>.balena

This will ask you to confirm the host identification and then drop you into a root prompt. If you’re on a production image, then the SSH keys on your machine will be used to identify you, so they must be setup on the device first, otherwise you will see a rejection due to not having a valid key.

Hi @richbayliss
Thanks for this guide. Very helpful!

Just one quick question. When SSH is fixed/completed in balena-cli will devices deployed with SSH using this method then be SSH-able via balena-cli or will further updates-changes to end devices be required?

Cheers
Chris

Hey, I am glad you found it useful!

I cannot say for certain that devices will not need changes to work with the balena-cli implementation, but the way this method is making the connection is dependant on the HTTP CONNECT proxy implementation in the VPN service container, and I am not aware of any plans to change that service.

Hi @richbayliss,

Are there any updates concerning this issue? As far as I know it doesn’t work out of the box yet, correct?

Thanks in advance!

Hi,

Thanks for this - am just getting going with open-balena and this gets me into the host OS ok.

I guess I’m right then in using “balena logs” and “balena attach” to see what’s happening in the main container. Seems to work anyway.

Thanks!

Alex

No updates, the balena ssh mechanism is not compatible with openBalena deployments and we are working on that, but for now the only route is to tunnel the port 22222 as detailed.

Okay! Looking forward to that, but for now I’m going to explore the tunnel option as you’ve explained. Thanks for this!

I’m receiving this error while trying to SSH into my balenaOS devices, either into the host or the container:

[root@midgard open-balena]# balena ssh c94176664572c5654c6d9694f3dc219e
Connecting to: c94176664572c5654c6d9694f3dc219e
bash: enter: command not found
Connection to ssh.devices.fleet.aghemo.com closed.

Edit: @richbayliss, can you just confirm that right now openBalena users can not SSH into both host devices or the containers on them? I quote:

No updates, the balena ssh mechanism is not compatible with openBalena deployments and we are working on that, but for now the only route is to tunnel the port 22222 as detailed.

I get to this topic while searching for a solution into the forum, so I’m not asking for a solution or an update, but I just hope this post can help people receiving the “bash: enter: command not found” error.

Also, maybe, the fact “balena ssh” is not working right now has to be mentioned under the “What’s the difference between openBalena and balenaCloud?” FAQ on https://www.balena.io/open.

@daghemo you cannot use the balena ssh command with openBalena as it relies on a service which the openBalena stack doesn’t ship with. However, SSH is possible using either the method above OR using the balena tunnel command, like so:

balena tunnel {uuid} -p 22222:22222

This creates a listening socket on port 22222 of your localhost which you can then use any SSH client to connect to:

ssh root@localhost -p 22222

I hope this helps

This mechanism is working well for me under Linux. What’s the best way to achieve the same with Windows? Will Putty do it?

Thanks, Alex

@ajlennon putty should work but worst case you can build yourself a little virtual machine or even docker container with SSH installed.

$ balena tunnel 04e43a0 -p 22222:22222
[Debug]   Fetching application by name 04e43a0 (string)
(node:15844) MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 error listeners added to [WriteStream]. Use emitter.setMaxListeners() to increase limit
(node:15844) MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 drain listeners added to [WriteStream]. Use emitter.setMaxListeners() to increase limit
(node:15844) MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 close listeners added to [WriteStream]. Use emitter.setMaxListeners() to increase limit
[Debug]   Application not found
[Debug]   Fetching device by UUID 04e43a0 (string)
[Info]    Opening a tunnel to 04e43a0f842d3a0914f6d39f5fef042b...
[Info]     - tunnelling localhost:22222 to 04e43a0f842d3a0914f6d39f5fef042b:22222
[Info]    Waiting for connections...

EDIT: scratch that. I just needed to ssh root@localhost -p 22222

good workaround
for centos 7

wget https://ftp.tu-chemnitz.de/pub/linux/dag/redhat/el7/en/x86_64/rpmforge/RPMS/proxytunnel-1.9.0-1.el7.rf.x86_64.rpm
rpm -Uvh rpmforge-release*rpm
yum install proxytunnel

This works perfectly! Nice job!

Works perfectly for development images, are there any resources for getting ssh keys configured for production images so those can be tested? I have looked at this wiki page for configuring balenaOS but the config.json file I have for my device looks much different, more like the one from this masterclass’ config. Does adding ssh keys to the configuration work exactly the same in both?

I am getting the Permission denied (publickey) error so I am pretty sure the way I have set up the key would be the error… might have just placed it in the wrong spot in config.json

Hi

Indeed you need to configure your ssh keys to the device if you are using production images - as this is a development feature and hence only available in the dev images. To do this, you can create a public-private key pair using the ssh keygen command on a Linux or Mac OS machine and then add the public key as shown here to the config.json

To do so, you can mount the device and edit json file in the boot partition using your laptop or similar.

If you are not sure, feel free to redact the key itself, and post the config.json here. Also make sure that you have linted the json file correctly using something like the https://jsonlint.com/ site

Got it working - copied the wrong key to the device

ssh to a production image is working fine now w/the updated and proper config, cheers

Awesome!