Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Bitbucket LFS, Access Keys & 2FA

Tom Thackstone
Tom Thackstone
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
May 2, 2018

We are getting an authentication failure when trying to clone a Bitbucket repo with LFS enabled using an access key, which we think might be related to having 2-factor authentication.

With GIT_TRACE=1 git clone resulted in this:

trace git-lfs: tq: sending batch of size 1
trace git-lfs: ssh cache: XXXX@bitbucket.org git-lfs-authenticate XXXX/XXXX.git download
trace git-lfs: api: batch 1 files
trace git-lfs: HTTP: POST https://bitbucket.org/XXXX/XXXX/info/lfs/objects/batch
trace git-lfs: HTTP: 403
trace git-lfs: HTTP: {"type": "error", "error": {"message": "To access this repository, enable two-step verification."}}
trace git-lfs: api error: Authorization error: https://bitbucket.org/XXXX/XXXX/info/lfs/objects/batch
Check that you have proper access to the repository

Our admin temporarily disabled 2FA and the clone was successful.

A clone with an account level SSH key is also successful.

Unfortunately we have constraints that mean we need both 2FA and to use a repo Access Key.

Is this expected behaviour or a bug?

 

 

 

 

Answer
Watch
Like Jesse Shaver likes this
1775 views

1 answer

1 accepted

0 votes
Answer accepted
Ana Retamal
Ana Retamal
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 12, 2018

Hi Tom! Apologies for the delayed response, hopefully it will still help you or someone else from our Community :) 

If you set “ensure that the user has 2FA” there are only two ways to clone the repos:

  1. Using SSH

  2. Using app password (only method supported while using HTTPS)

You won't be able to clone it using your regular credentials, you'll need to use your username (not the email address) and the app password. If you need more info ron how to generate it, please read App passwords.

 

Let us know if you have any questions!
Kind regards,
Ana
View More Comments
Chad Gilbert
Chad Gilbert March 9, 2021

I don't believe this answers the question, and I'm running into the same problem. The question is about Git LFS failing. Normal Git operations work fine against SSH, but if you are using an SSH Access Key (repository-scoped) and try to perform LFS commands on an organization that enforces 2FA, then LFS commands fail with a 403 error.

To reproduce:

  • Create a repository with LFS and push up at least one file that is in LFS
  • Set your organization to enforce 2FA
  • Create a repository Access Key by uploading a public key
  • Standard Git Clone and Fetch commands work fine on that repo
  • Git LFS commands fail

Git LFS operates over HTTPS, but a repo Access Key is only an SSH key. This normally isn't a problem for Git LFS, because the protocol is designed to use SSH to download a temporary HTTPS authentication header using `git-lfs-authenticate`:

ssh git@bitbucket.org git-lfs-authenticate myworkspace/myrepo.git download

This command successfully returns a JWT intended for use within subsequent Git LFS HTTPS operations. (you can see this chatter if you set GIT_CURL_VERBOSE=1)

That JWT authentication token works fine if your organization does not enfore 2FA.

However, if your organization enforces 2FA, then the HTTPS attempts using that JWT token fail with a 403 and the message "To access this repository, enable two-step verification."

And that's the problem: The SSH key is tied to a repository-scoped Access Key, which has no chance of having 2FA.

This effectively means that Access Keys are unusable on repos relying on LFS, when your organization enforces 2FA.

Like # people like this
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events