Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Determine which user owns a given SSH key

Joseph Lamoree
Joseph Lamoree November 20, 2023

I have an SSH key found on a host while performing an audit. It has permission to read/write to repositories. I would very much like to know which Bitbucket user is associated with this SSH key so I may offer security guidance.

Is there any way to figure out which Bitbucket user was identified based on the SSH key, and which permissions are in effect? I've added the `LogLevel DEBUG` option to `~/.ssh/config` and I can see lots of interesting information, but not any message from Bitbucket about identity. I dunno, maybe the SSH protocol just doesn't afford arbitrary server content like this.

Answer
Watch
Like Be the first to like this
890 views

1 answer

1 accepted

0 votes
Answer accepted
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 21, 2023

Hi Joseph!

I'm afraid that there is no way for users to determine where an SSH key has been added.

You can create a ticket with the support team and provide the public key. If this key is added to a user that is a member of a workspace you are an admin of, we can let you know which user this key belongs to.

You can create a ticket via https://support.atlassian.com/contact/#/, in "What can we help you with?" select "Technical issues and bugs" and then Bitbucket Cloud as product. When you are asked to provide the workspace URL, please make sure you enter the URL of the workspace that is on a paid billing plan to proceed with ticket creation.

Please feel free to reach out if you have any questions!

Kind regards,
Theodora

View More Comments
Joseph Lamoree
Joseph Lamoree November 21, 2023

Thank you for the information Theodora. I can understand why Bitbucket Security would be reluctant to disclose the authenticated user identity when an attacker has access to read/write to repositories, and might want additional information about the key upon which they've stumbled.

I'll keep the Atlassian support URL handy for the next time a mysterious SSH key is discovered being used to modify source code.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events