SSH Access

The Developer Edition has sshd enabled by default. Standard Interns do not expose SSH — there's no toggle to enable it without re-flashing.

Default credentials

Field	Value
User	system
Password	12345
Port	22
Auth	password or SSH key

Change the default password as soon as you've finished bringing the device up (see Change the password below).

Preflight — find the device IP and confirm sshd is up

Before you SSH in, you need two facts: the device's local IP, and confirmation that sshd is actually running. The easiest way to get both is to ask the Intern over Telegram — it's already paired with you and can self-report.

Paste this into the chat:

Please tell me your local IP address and confirm that sshd is running so I can SSH in. Run:

hostname -I | awk '{print $1}'
sudo systemctl is-active ssh || sudo systemctl is-active sshd
sudo ss -ltn '( sport = :22 )'

Reply with the first IPv4 address, whether the service is active, and whether port 22 is listening. If sshd is not running, start it: sudo systemctl enable --now ssh (some images use sshd).

Expected reply:

IP: 172.168.20.145
sshd: active
port 22 LISTEN on 0.0.0.0:22

Use that IP for the SSH connection in the next section.

Alternative ways to find the IP

If Telegram isn't an option (device unpaired, channel down):

• Router DHCP table — look for the Pi's MAC prefix dc:a6:32:* or 2c:cf:67:*. The hostname registered with DHCP is whatever the OS image set it to (default Raspberry Pi OS uses raspberrypi).
• AP-mode HTTP — if the device is in AP mode (Intern-XXXX SSID), the captive portal is at http://192.168.100.1. From there GET /api/network/current and GET /api/network/check-internet are useful for status.
• Plug in a keyboard + monitor — log in locally as system / 12345 and run hostname -I.

First connection

Once you have the IP and sshd is confirmed up:

ssh system@172.168.20.145    # the IP from preflight
# password: 12345 (change it immediately, see below)

Change the password

ssh system@172.168.20.145
passwd          # old: 12345

Install your SSH public key

From your workstation:

ssh-copy-id system@172.168.20.145

Or by hand on the device:

mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "ssh-ed25519 AAAA... your@laptop" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

After confirming key auth works, disable password login:

sudo sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart ssh

Useful commands once you're in

Goal	Command
Service status	systemctl status intern bootstrap openclaw nginx --no-pager
Live intern log	journalctl -u intern -f
Live openclaw log	journalctl -u openclaw -f
Config (LLM key, channels)	sudo jq . /root/config/config.json
OpenClaw plugin config	sudo jq . /root/.openclaw/openclaw.json
Force AP mode (re-pair)	sudo device-ap-mode
Force STA mode	sudo device-sta-mode
Manual update	sudo software-update intern

Note: most config files live under /root/, so you'll need sudo even when logged in as system.

Using the SDK to drive SSH

The Python SDK ships with InternSSH, a thin wrapper around Paramiko. See SSH SDK for the full API. Quick example:

from ssh_sdk import InternSSH

with InternSSH("172.168.20.145", "system", password="12345") as ssh:
    result = ssh.run("journalctl -u openclaw -n 50 --no-pager")
    print(result.stdout)

Locking down a fleet

Recommended hardening once you've finished bringing the device up:

# 1. Disable password auth (after installing keys)
sudo sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config

# 2. Disable root SSH (already disabled by default, double-check)
sudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config

# 3. Restart sshd
sudo systemctl restart ssh

# 4. Move SSH off port 22 if your network policy requires it
#    Edit /etc/ssh/sshd_config -> Port 2222