Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

host fingerprinting issue again

Patricia
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
July 22, 2025

I am trying to set up ssh keys for my pipeline. I've done this many times before and I'm familiar with the steps, but for my past two projects I've not been able to fingerprint my server. I know about whitelisting ip-ranges, but I've whitelisted the ip4 ranges listed for inbound traffic at https://support.atlassian.com/bitbucket-cloud/docs/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall/ and I'm still not succeeding in getting a fingerprint. Additionally I don't seem to see any ip-address related to bitbucket being rejected in my firewall log, but then again it's a bit hard to see as it gets hammered quite a bit.

Note that I can reach the server if I do `ssh-keyscan -t` in my pipeline.

 

Any idea what's going on here, or how we can find out?

1 answer

0 votes
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 23, 2025

Hi Patricia and welcome to the community!

I assume you're talking about fetching the fingerprint from the UI, from Repository settings > SSH keys > Known hosts section?

Up until yesterday, the SSH key scans from this page were running from the exhaustive set of IPs mentioned here:

An exhaustive list of IP addresses that the traffic may come from on AWS can be found by using the following endpoint, filtering to records where the service equals EC2 or S3, and using the us-east-1 and us-west-2 regions.

The developers deployed a fix today so that the SSH key scans run from the Atlassian IP ranges only, and not from the exhaustive ranges:

Can you please check first if the Atlassian IP ranges are whitelisted in your firewall? If they are, can you please try fetching the fingerprint again, and let me know if it works?

If the Pipelines step that connects to your server is running on Atlassian's infrastructure, then it needs to have a size of at least 4x and the atlassian-ip-ranges: true flag, so that it uses the Atlassian IP ranges, like in the following example:

pipelines:
default:
- step:
size: 4x
runtime:
cloud:
atlassian-ip-ranges: true
script:
- echo "I use atlassian-ip-ranges"

Kind regards,
Theodora

Patricia
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
July 24, 2025

Hello Theodora, thank you for getting back to me! Indeed I was talking about Repository settings > SSH keys > Known hosts in the UI.

I have just re-entered all of the atlassian-ip-range addresses in our firewall allowlist, including the three new ones listed on the page you linked to, but still no luck.

Note that I don't even see a blocked attempt in our firewall log.

I do indeed have the 4x + atlassian-ip-ranges: true set in my pipeline config, and as mentioned I am able to work around the issue by adding a `ssh-keyscan -t` to my script before the push, so the pipeline works just fine. But I would like a solution for the known hosts scan in the UI.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
PERMISSIONS LEVEL
Product Admin Site Admin
TAGS
AUG Leaders

Atlassian Community Events