You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
I have an SSH key found on a host while performing an audit. It has permission to read/write to repositories. I would very much like to know which Bitbucket user is associated with this SSH key so I may offer security guidance.
Is there any way to figure out which Bitbucket user was identified based on the SSH key, and which permissions are in effect? I've added the `LogLevel DEBUG` option to `~/.ssh/config` and I can see lots of interesting information, but not any message from Bitbucket about identity. I dunno, maybe the SSH protocol just doesn't afford arbitrary server content like this.
I'm afraid that there is no way for users to determine where an SSH key has been added.
You can create a ticket with the support team and provide the public key. If this key is added to a user that is a member of a workspace you are an admin of, we can let you know which user this key belongs to.
You can create a ticket via https://support.atlassian.com/contact/#/, in "What can we help you with?" select "Technical issues and bugs" and then Bitbucket Cloud as product. When you are asked to provide the workspace URL, please make sure you enter the URL of the workspace that is on a paid billing plan to proceed with ticket creation.
Please feel free to reach out if you have any questions!
Thank you for the information Theodora. I can understand why Bitbucket Security would be reluctant to disclose the authenticated user identity when an attacker has access to read/write to repositories, and might want additional information about the key upon which they've stumbled.
I'll keep the Atlassian support URL handy for the next time a mysterious SSH key is discovered being used to modify source code.