Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Deleted user
Level
0 / 0 points
Next:
badges earned

Your Points Tracker
Challenges
Leaderboard
  • Global
  • Feed

Badge for your thoughts?

You're enrolled in our new beta rewards program. Join our group to get the inside scoop and share your feedback.

Join group
Recognition
Give the gift of kudos
You have 0 kudos available to give
Who do you want to recognize?
Why do you want to recognize them?
Kudos
Great job appreciating your peers!
Check back soon to give more kudos.

Past Kudos Given
No kudos given
You haven't given any kudos yet. Share the love above and you'll see it here.

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Bitbucket LFS, Access Keys & 2FA

We are getting an authentication failure when trying to clone a Bitbucket repo with LFS enabled using an access key, which we think might be related to having 2-factor authentication.

With GIT_TRACE=1 git clone resulted in this:

trace git-lfs: tq: sending batch of size 1
trace git-lfs: ssh cache: XXXX@bitbucket.org git-lfs-authenticate XXXX/XXXX.git download
trace git-lfs: api: batch 1 files
trace git-lfs: HTTP: POST https://bitbucket.org/XXXX/XXXX/info/lfs/objects/batch
trace git-lfs: HTTP: 403
trace git-lfs: HTTP: {"type": "error", "error": {"message": "To access this repository, enable two-step verification."}}
trace git-lfs: api error: Authorization error: https://bitbucket.org/XXXX/XXXX/info/lfs/objects/batch
Check that you have proper access to the repository

Our admin temporarily disabled 2FA and the clone was successful.

A clone with an account level SSH key is also successful.

Unfortunately we have constraints that mean we need both 2FA and to use a repo Access Key.

Is this expected behaviour or a bug?

 

 

 

 

1 answer

1 accepted

0 votes
Answer accepted
Ana Retamal Atlassian Team Jun 12, 2018

Hi Tom! Apologies for the delayed response, hopefully it will still help you or someone else from our Community :) 

If you set “ensure that the user has 2FA” there are only two ways to clone the repos:

  1. Using SSH

  2. Using app password (only method supported while using HTTPS)

You won't be able to clone it using your regular credentials, you'll need to use your username (not the email address) and the app password. If you need more info ron how to generate it, please read App passwords.

 

Let us know if you have any questions!
Kind regards,
Ana

I don't believe this answers the question, and I'm running into the same problem. The question is about Git LFS failing. Normal Git operations work fine against SSH, but if you are using an SSH Access Key (repository-scoped) and try to perform LFS commands on an organization that enforces 2FA, then LFS commands fail with a 403 error.

To reproduce:

  • Create a repository with LFS and push up at least one file that is in LFS
  • Set your organization to enforce 2FA
  • Create a repository Access Key by uploading a public key
  • Standard Git Clone and Fetch commands work fine on that repo
  • Git LFS commands fail

Git LFS operates over HTTPS, but a repo Access Key is only an SSH key. This normally isn't a problem for Git LFS, because the protocol is designed to use SSH to download a temporary HTTPS authentication header using `git-lfs-authenticate`:

ssh git@bitbucket.org git-lfs-authenticate myworkspace/myrepo.git download

This command successfully returns a JWT intended for use within subsequent Git LFS HTTPS operations. (you can see this chatter if you set GIT_CURL_VERBOSE=1)

That JWT authentication token works fine if your organization does not enfore 2FA.

However, if your organization enforces 2FA, then the HTTPS attempts using that JWT token fail with a 403 and the message "To access this repository, enable two-step verification."

And that's the problem: The SSH key is tied to a repository-scoped Access Key, which has no chance of having 2FA.

This effectively means that Access Keys are unusable on repos relying on LFS, when your organization enforces 2FA.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket

Calling any interview participants for Bitbucket Data Center

Hi everyone,  We are looking to learn more about development teams’ workflows and pain points, especially around DevOps, integrations, administration, scale, security, and the related challeng...

493 views 5 4
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you