In much of the documentation pertaining to security and even normal operations, logging in as root is discouraged, which of course is pretty understandable.
On the other hand, HASSIO seemingly only allows for root access. I have created an other user, even set up SSH pub/priv keys, but cannot log on to the rPi.
So, is it simply the case that HASSIO must be accessed by root? If that is the case, is that a problem to consider when making HA visible from outside my network (of course following all the best security guidance)?
In Hass.io the SSH add-ons runs as a Docker container and is therefore isolated from your host system by nature, hence this is not such a big deal on Hass.io.
If you’d really like to access it with a different username, you could take a look at the Community version of the SSH add-on, which allows you to log in using a different user.
everytime you do something in ssh, especially changing any config, it require you to do sudo command?
it is basically going to ask root for root permission. this sudo method is basically not wanting you as a user to enter a wrong command which may screw up the *nix system, or modify an important file.
for beginner, it is good to do sudo for all command related, modifying of files.
in layman term, yes more secure*.
No, in term for *nix guys like myself. because it put a barrier between me and my edit as i am very comfortable with all the commands. having to sudo every single time wear me out. so i would just log into su everytime instead. because i know how to recover if something screw up.
on security standpoint, you are already secured because 192.168.x.x is a local network, no hacker is able to access into, unless someone manage to hack into your wifi which is pretty unlikely if you are using wpa2 psk and not WEP.
even if someone were to break into your wifi, he still need to brute into your rbp which ssh is built to withstand that (takes aeons to brute ssh unless your password is weak without combination of symbol, number, caps)
if you really want security, just enable your iptables allow list, or modify the ACL. so only trusted IP can ssh.
Security is all about barriers, and less so about convenience. Using root has its place but should only be used when needed, otherwise it breaks the principle of least privilege. Another user (hassio?) that can only perform typical hassio related actions is the way to go. To change a yaml config or restart homeassistant using root is a bit of a security smell.
Also you should still secure things even in your local network. It doesn’t take someone hacking your wifi, just a rogue or compromised device on your network. Using ssh keys (with passphrases on them) for auth is good practice (over password auth).