So anyone who changed the root password, which you ALWAYS should do, gets slammed by the Victron door? Like security doesn’t matter. Wow.
Edit: hold on. This of course should only matter before you setup a temporarily password, before generating your public key.
The root-access documentation is not clear enough for me at least 
It’s not clear on which side (Venus OS or client) to generate the ssh-files and were to put them.
Or if/how the ssh-files in /data/keys directory should be used!
Well well, its a bit less heavy. 
.
a simple reinstall of the rootfs; or firmware update for that matter, removes the “modified” token.
this (rootfs needs to be rw to set a password for a user) is just how it now works in Venus OS. Sure, maybe there is a way around that - perhaps changing this will be or should be a priority. But I’m told its not trivial + for me not a prio so for we leave it.
how many normal users login on ssh? Very little.
Sorry. I just edited my comment, before reading yours, simply because I think that I misunderstood what you said. But bear with me Matthijs. Now. After you clear that temporarily password, before running ssh_keygen, that modification flag is cleared again. Right? That was basically the problem. I mean we need that password, temporarily, and if that would mean that flag is still there…can’t inmagine this is the case.
Hi George.
Let me start by asking what document that you are reading/using.
And the generated public key is stored in ~/ssh/ where ~ is the home directory of the user. The filename is: authorized_keys
But perhaps there is a better source/post already, since this one is solved. Maybe open a new one specifically to the issue at hand
No problem!
To make the flag be removed, you need to reinstall the firmware.
Its a technical thing, something related to what for us is the simplest way to detect if a filesystem was potentially (!) modified.
“a simple reinstall of the rootfs” made me go 
Well, of course, I do this regularly with all my Linuxes. </sarcasm> 
That’s really the only (official) way to get rid of the “Modified” flag ?
I mean, I understand that this is how it’s (supposed to be) done, but it is somewhat annoying as this also overwrites the backup firmware image.
As for myself, I like to keep a copy of the previous (stable or testing) software version as backup image.
For 90% of the users all this will have no real impact and I’m sure that Victron Support won’t make much of a fuss if a Power User opens a ticket after first dropping into the CLI (and by that raising the “Modified” flag) to run dbus-spy or whatever debug commands.
As already mentioned, installing an SSH key is an option but doing so while keeping the “Modified” flag down might require jumping through some hoops.
And maybe I’m overthinking the entire situation a bit…
Carry on and keep up the good work 
I was asked to change the password so that one of the “technicians” could look into my warnings and remove setup helper. I have now replaced it with the original one as instructed, could this be the reason for my warning being there but no longer showing “yes rcS.local” ?
Many thanks, I had not spotted that before 
After some reading I found the right route for generating a ssh key and have put the .pub on my Cerbo GX. Now with help of ssh -i root@ I was able to login without password from my mac.
Let’s wait and see if it’s still working after a reboot.
Update:
So far everything looks okay.
Not in my case, I waited a few days while reading various answers on this post and, only a few minutes ago, did a further update to 3.70 (after reading about v3.61 Ethernet problems resolved) and, voila’ the “modified” message disappeared.
Prior to that, the Setup Helper was removed but only cancelled the “rcS.local” NOT the “modified” regardless of more attempts of rebooting.
Ssh-login is working. It was my lack of knowledge about which file to generate/put where.
After some reading I solved the ssh-keygen and ssh-login problems and the Cerbo GX is not complaining anymore.
Thanks for the support and good work.
Are you saying that you are now able to log into Venus without using the password?
What advantage does that give you?
I think its best to see google for what the advantages are of using ssh keys over using a password when logging into ssh.
There is a ton of material on that, explained by security experts. Good practice, thats one at least - though a bit generic, I know
Found it, thanks
Hi Mario,
The modified flag won’t go away without having generated your ssh keyset (public and private keys) and copied to your GX device, plus a firmware upgrade/reinstallation.
As soon as you set a password, the file system on the Cerbo GX (GX device) is modified. Your password has to be saved and that is when/why the modified flag is set.
Let’s assume that you use Windows.
Step 1: open a terminal window (Windows PowerShell)
Step 2: run ssh-keygen -t ecdsa
Step 3: cat ~/.ssh/id_ecdsa.pub | ssh root@192.168.1.NNN “cat >> ~/.ssh/authorized_keys”
Step 4: now check if ssh root@192.168.1.NNN works. After that, reinstall the firmware,
Note that you can run ssh-keygen without options (defaults to RSA) or with -t ed25519 You also may need to copy the .pub file to ~/ssh/ on your computer. Perhaps even to ~/authorized_keys, but I’m not a Windows user so please verify this, and use a search engine.
Make sure to use the IP address of your GX device!
Using a passphrase in ssh-keygen is optional, but it is better to use one. Being more secure is a plus, as one who takes over your computer, can also use those keys
Thanks for the in-depth explanation, I actually use one of my MacBook pros but that shouldn’t be a problem
However here’s three points:
Re-install is perhaps a bit heavy term.
What happens when you press that button is that it runs the update again.
Settings are not touched or removed
I get it, this reinstall wording was confusing. I have done that at least a couple of times during our initial investigation with Nick and Manuel so now I know what people mean by that.
I tend to treat the term re-install a fresh install.
Thanks for clarifying that.