Tool to deploy ssh-keys

Hello everyone,

i made a script for node-js, that can deploy new ssh keys to a defined group of devices. Its a little bit hacky and you need node-js and the balena-cli to run it. But maybe somebody else help that tool or you have some good ideas, how to improve that tool.

To the background. With the balena-sdk i load a list of all devices. Then the tool use the balena tunnel command to open a proxy tunnel to the device, logs in with ssh and loads the config.json over the stdout. Unfortunately I was not able to use scp for that. After that the tool add the keys to the local version of the config.json and writes then the config again over stdout back and command the device to reboot.

Disclaimer: The tool modifies the config.json on your device. That is not without danger. I tested the tool at first with devices, that I can access. A damaged config.json can lead to a device, that is not able to connect to the VPN again.


It’s nice to see custom tools being developed.

I do want to point out that configizer from the Balena team is a thing that allows safe-ish modifications to config.json, including SSH keys.
I have not tried it out with openBalena.

There may be reasons for developing your own tool, but at the very least it’s a good learning experience to look at the way they set up their tool.

Correct me, if i’m wrong, but you can’t use balena ssh with openBalena. So the the configizer, that use that command, won’t work with openBalena.
But maybe I can adapt parts of that tool. So I will look into it. Or maybe somebody had experience in use that tool for openBalena?

you can’t use balena ssh with openBalena

You should be able to use balena ssh even if you are using openBalena. What was the error you got when you tried this?

Also, see the instructions for using balena-cli with openBalena

@wolf_karl if you are up for trying out open-balena-admin I recently added functionality where you can use custom SSH keys via the web interface. When you connect to a device via balena ssh, or using plain old ssh, just provide the username which you added the keys (ie ssh username@deviceip -p 22222) and it will pull the custom keys for that user automagically from the balena API. You’ll also need to provide the matching private key to connect.

I can adapt parts of that tool. So I will look into it. Or maybe somebody had experience in use that tool for openBalena ?..

I’m not getting an error, but when I try to connect it asks for a password:
admin@ssh.devices.[redacted].com's password:

I’ve setup openBalena using
./scripts/quickstart -U <email@address> -P <password> -d -c. I did get some errors that said api[redacted].com wasn’t reachable on port 80, although when trying in a browser it was reachable (on https).

What am I missing here?

Hello @ashwin

The balena CLI is supporting openBalena.
Please see the following getting started guide for openBalena and the balena CLI.
Can you please check if you are able to login to your openBalena instace with the CLI?
Please share any output that you get in response.

Best Regards

Sorry I did forget the link to the documentation: