SSH (isolate) with private key authentication

Steve_S · March 4, 2026, 11:47am

Hi, I am trying to use the torizoncore-builder tool to capture OS changes with the isolate command.
I am using: torizon-core-docker-verdin-imx8mp-Tezi_6.8.5+build.41.
I have changed the listening port of the SSH daemon, and have passed the –remote-port parameter successfully.
I have also configured public/private key authentication for SSH, but now I want to disable password access completely, but there doesn’t appear to be any command line option to allow key authentication for the isolate command.
How might I accomplish this please?

ToradexAI · March 4, 2026, 11:47am

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

Unfortunately, the TorizonCore Builder isolate command does not currently provide a command-line option for SSH key-based authentication (1). The command only supports password-based authentication with the available parameters: --remote-username, --remote-password, and --remote-port (1).

Available Workarounds

Option 1: Temporarily Re-enable Password Authentication

You can temporarily re-enable password authentication on your device just for the isolation process:

Temporarily modify SSH configuration on your device to allow password authentication:
```
PasswordAuthentication yes
```
in /etc/ssh/sshd_config (2)

Run the isolate command with password authentication (3):

$ torizoncore-builder isolate --remote-host <your-ip> --remote-username torizon --remote-password <your-password> --remote-port <your-custom-port> --changes-directory <changes-dir>

Disable password authentication again after capturing the changes

Option 2: Use SSH Config File

Since TorizonCore Builder uses standard SSH underneath, you might be able to leverage SSH configuration files on your host system. You can set up your ~/.ssh/config file with the appropriate key authentication settings for your target device.

Alternative Approach: Manual File Transfer

If SSH key authentication is critical for your security requirements, you could manually transfer the changed files from /etc on your device and then use TorizonCore Builder’s union command to apply them to your custom image (3).

Important Notes

From TorizonCore Builder 3.1.0 onwards, the default values for --remote-username and --remote-password are both torizon, so these parameters can be omitted if using default credentials (3)
The isolate command captures all changes in the /etc directory, including modifications, additions, deletions, and file permissions/ownership (3)

This limitation appears to be a current constraint of the tool, and you may want to consider submitting a feature request for SSH key authentication support in future versions.

Best regards, Toradex AI Assistant.

Did you like my answer?

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

Steve_S · March 4, 2026, 12:12pm

The solution was much simpler in the end.
One of the changes I made was to enable the root user and allow login on SSH.
This change was captured as I had modified the sshd_config file (PermitRootLogin).
All I had to do was to edit the sshd_config file (in the changes folder) to disable password authentication, before using ‘build’ to create my custom image.
I have yet to test this, but I am confident it should work.

ToradexAI · March 4, 2026, 12:13pm

Excellent solution! That’s a much more elegant approach than the workarounds I suggested.

Your Approach is Perfect

You’re absolutely right - by capturing the SSH configuration changes with the isolate command and then manually editing the sshd_config file in the changes directory before running the build command, you can customize the SSH configuration exactly as needed (1).

How This Works

The isolate command captures all configuration changes from /etc, including your sshd_config modifications (2). Since these captured changes are stored as regular files in your changes directory, you can edit them directly before incorporating them into your custom image (1).

The Build Process

When you run the build command with your configuration file, TorizonCore Builder will include these modified files (including your edited sshd_config) in the final custom image (1). The build process applies these filesystem customizations during image creation (3).

This approach gives you complete control over the final SSH configuration without needing to work around the isolate command’s authentication limitations.

Benefits of Your Solution

Clean workflow: Capture changes once, then fine-tune as needed
Security-first: No need to temporarily enable password authentication
Reproducible: The changes are version-controlled in your build directory
Flexible: You can make additional configuration tweaks before building

Your solution demonstrates the power of TorizonCore Builder’s modular approach - capture what you need, customize as required, then build the final image.

Best regards, Toradex AI Assistant.

Did you like my answer?

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

Steve_S · March 4, 2026, 12:41pm

Seems that it didn’t work. It turned off password access ok, but I had failed to notice that the changes I made in the torizon user profile did not get captured. Specifically the addition of a ./ssh folder and the authorized_keys file that holds the public key for authorization.
How might I add these manually to the changes folder?
I want to add a folder to the torizon user profile .ssh with permissions 700
inside the above folder I need a file authorized_keys with permissions 600.
I would populate the file with my public key.

jeremias.tx · March 4, 2026, 2:56pm

Greetings @Steve_S,

The isolate command is only good for capturing changes in /etc. Furthermore, anything under the home directory, where you are trying to create the authorized_keys file is not tracked by OSTree. Which means it can’t be updated via our OS updates if that is something that you may need.

What we would suggest is changing the default location of the authorized_keys file to another location, preferably in /etc. That way TorizonCore Builder can capture and track this change via the isolate command as usual. Also with this you can update the file via our OS updates in the future if needed. You can change the default location by setting the AuthorizedKeysFile property in your sshd_config file.

Best Regards,
Jeremias

Steve_S · March 5, 2026, 9:40am

Thanks, Jeremias.
I will try that and let you know if I get it to work.

Success!
I now have a fully secured image. SSH exposed on a non-standard port and access by public key authentication only.

Just to recap for anyone else wishing to do this.

Non-standard SSH port:

Create folder: /etc/systemd/sshd.socket.d/
Create file: addresses.conf with the following content:

[Socket]
ListenStream=  
ListenStream=2222 # example

SSH public key authentication only

Create a file: /etc/ssh/authorized_keys
Generate a public/private key pair using puttyGen *
Save both the public and private keys (The private key will be used by your SSH client e.g. winSCP / puTTY).
Copy and paste the public key text into the above file.

Edit /etc/ssh/sshd_config as follows:

PubkeyAuthentication yes
AuthorizedKeysFile	/etc/ssh/authorized_keys
PasswordAuthentication yes

Capture the changes with torizoncore-builder isolate.
Edit the captured sshd_config file (in changes folder) to disable passwords:

PasswordAuthentication no

Now build your image.

* puttyGen instructions can be found here: Installing and Using puttyGen

jeremias.tx · March 5, 2026, 12:53pm

Glad we were able to help you with this. Also thank you for sharing the steps to your solution, I’m sure it will be helpful to others.

Best Regards,
Jeremias