host fingerprinting issue again

I am trying to set up ssh keys for my pipeline. I've done this many times before and I'm familiar with the steps, but for my past two projects I've not been able to fingerprint my server. I know about whitelisting ip-ranges, but I've whitelisted the ip4 ranges listed for inbound traffic at https://support.atlassian.com/bitbucket-cloud/docs/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall/ and I'm still not succeeding in getting a fingerprint. Additionally I don't seem to see any ip-address related to bitbucket being rejected in my firewall log, but then again it's a bit hard to see as it gets hammered quite a bit.

Note that I can reach the server if I do `ssh-keyscan -t` in my pipeline.

Any idea what's going on here, or how we can find out?

1 answer

0 votes

Hi Patricia and welcome to the community!

I assume you're talking about fetching the fingerprint from the UI, from Repository settings > SSH keys > Known hosts section?

Up until yesterday, the SSH key scans from this page were running from the exhaustive set of IPs mentioned here:

An exhaustive list of IP addresses that the traffic may come from on AWS can be found by using the following endpoint, filtering to records where the service equals EC2 or S3, and using the us-east-1 and us-west-2 regions.

The developers deployed a fix today so that the SSH key scans run from the Atlassian IP ranges only, and not from the exhaustive ranges:

https://support.atlassian.com/bitbucket-cloud/docs/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall/#Atlassian-IP-ranges

Can you please check first if the Atlassian IP ranges are whitelisted in your firewall? If they are, can you please try fetching the fingerprint again, and let me know if it works?

If the Pipelines step that connects to your server is running on Atlassian's infrastructure, then it needs to have a size of at least 4x and the atlassian-ip-ranges: true flag, so that it uses the Atlassian IP ranges, like in the following example:

pipelines:
  default:
    - step:
        size: 4x
        runtime:
          cloud:
            atlassian-ip-ranges: true
        script:
          - echo "I use atlassian-ip-ranges"

Kind regards,
Theodora

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hello Theodora, thank you for getting back to me! Indeed I was talking about Repository settings > SSH keys > Known hosts in the UI.

I have just re-entered all of the atlassian-ip-range addresses in our firewall allowlist, including the three new ones listed on the page you linked to, but still no luck.

Note that I don't even see a blocked attempt in our firewall log.

I do indeed have the 4x + atlassian-ip-ranges: true set in my pipeline config, and as mentioned I am able to work around the issue by adding a `ssh-keyscan -t` to my script before the push, so the pipeline works just fine. But I would like a solution for the known hosts scan in the UI.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Suggest an answer

Was this helpful?

Thanks!

Bitbucket

DEPLOYMENT TYPE

CLOUD

PRODUCT PLAN

PREMIUM

PERMISSIONS LEVEL

Product Admin Site Admin

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

host fingerprinting issue again

1 answer

Suggest an answer

Was this helpful?

Thanks!

DEPLOYMENT TYPE

PRODUCT PLAN

PERMISSIONS LEVEL

TAGS

Atlassian Community Events