I am trying to set up ssh keys for my pipeline. I've done this many times before and I'm familiar with the steps, but for my past two projects I've not been able to fingerprint my server. I know about whitelisting ip-ranges, but I've whitelisted the ip4 ranges listed for inbound traffic at https://support.atlassian.com/bitbucket-cloud/docs/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall/ and I'm still not succeeding in getting a fingerprint. Additionally I don't seem to see any ip-address related to bitbucket being rejected in my firewall log, but then again it's a bit hard to see as it gets hammered quite a bit.
Note that I can reach the server if I do `ssh-keyscan -t` in my pipeline.
Any idea what's going on here, or how we can find out?
Hi Patricia and welcome to the community!
I assume you're talking about fetching the fingerprint from the UI, from Repository settings > SSH keys > Known hosts section?
Up until yesterday, the SSH key scans from this page were running from the exhaustive set of IPs mentioned here:
An exhaustive list of IP addresses that the traffic may come from on AWS can be found by using the following endpoint, filtering to records where the
service
equalsEC2
orS3
, and using the us-east-1 and us-west-2 regions.
The developers deployed a fix today so that the SSH key scans run from the Atlassian IP ranges only, and not from the exhaustive ranges:
Can you please check first if the Atlassian IP ranges are whitelisted in your firewall? If they are, can you please try fetching the fingerprint again, and let me know if it works?
If the Pipelines step that connects to your server is running on Atlassian's infrastructure, then it needs to have a size of at least 4x and the atlassian-ip-ranges: true flag, so that it uses the Atlassian IP ranges, like in the following example:
pipelines:
default:
- step:
size: 4x
runtime:
cloud:
atlassian-ip-ranges: true
script:
- echo "I use atlassian-ip-ranges"
Kind regards,
Theodora
Hello Theodora, thank you for getting back to me! Indeed I was talking about Repository settings > SSH keys > Known hosts in the UI.
I have just re-entered all of the atlassian-ip-range addresses in our firewall allowlist, including the three new ones listed on the page you linked to, but still no luck.
Note that I don't even see a blocked attempt in our firewall log.
I do indeed have the 4x + atlassian-ip-ranges: true set in my pipeline config, and as mentioned I am able to work around the issue by adding a `ssh-keyscan -t` to my script before the push, so the pipeline works just fine. But I would like a solution for the known hosts scan in the UI.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.