Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Does the modification of the ssh host key also apply to an oauth connection?

Denis S. May 19, 2023

Hello community, 

I recently took note about updating the Bitbucket Cloud SSH Host Keys (https://bitbucket.org/blog/ssh-host-key-changes) but my repositories connects via oauth.

Should I still do something about this?

Thanks a lot for your time

 

1 answer

0 votes
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 22, 2023

Hi Denis!

OAuth works over HTTPS and not SSH, so these connections are not affected.

You can double-check that by running the following command in the directory of the clone of your repositories:

git remote -v

If the remote in the output starts with https, then you are using Git over HTTPS and you are not affected.

Please feel free to reach out if you need anything further.

Kind regards,
Theodora

Denis S. May 23, 2023

Hello @Theodora Boudale

Thanks a lot for your quick answer.

I tried to double-check with your command, it start with git@bitbucket.org so if I understand well I need to change the SSH host keys but I actually don't have the bitbucket key in my server (~/.ssh/known_hosts)

 

As I said, I use a auth.json file at the root from my projetcs like that :

{
"bitbucket-oauth": {
"bitbucket.org": {
"consumer-key": "<myConsumerKey>",
"consumer-secret": "<myConsumerSecret>",
"access-token": "<myAccessToken>",
"access-token-expiration": <myAccessTokenExpiration>
}
}
}

 

Sorry to borrow you but if I can be sure that I'm ok will be great

 

Thanks  a lot for your time

Denis

Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 24, 2023

Hi Denis,

You may be using both SSH and HTTPS in different places. In order to figure this out, we would need additional info. Could you please provide the following info?

1. You mentioned

I tried to double-check with your command, it start with git@bitbucket.org

I assume that you ran the command git remote -v in a clone of the repos on your server, is that correct?

2. Are you using either of the following in order to do a git pull or git push in these clones? If so, which one(s)?

  • Git from command line
  • A Git GUI client
  • A CI/CD system
  • A script

3. You gave us a sample of an auth.json file.

Where is this file located? Is it in the source code of your repos? Or in a different place, on the same server as your clones?

4. What are you doing with the Access Token from this file? Are you running API calls? Are you pulling or pushing to the repos?

Kind regards,
Theodora

Denis S. May 30, 2023

Hello @Theodora Boudale 

  1. Yes it's correct
  2. A shell script based on Git from command line
  3. The auth.json is on the root of the clone project (for each servers (LXC container) & each projects)
  4. I just pulling 

Thanks a lot for your help and your time

Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 30, 2023

Hi Denis,

It's difficult to say what is happening without seeing the script you are using.

If you run git remote -v in a clone and the output looks as follows:

origin git@bitbucket.org:workspace-id/repo.git (fetch)
origin git@bitbucket.org:workspace-id/repo.git (push)

then performing the Git command git pull in that clone's directory (either from a script or from command line) is going to use SSH.


However, it is also possible for a script to use HTTPS with an OAuth access token, if you are executing instead the following in the clone directory

git pull https://x-token-auth:{access_token}@bitbucket.org/workspace-id/repo.git

(so, specifying an HTTPS URL with an OAuth token in the git pull command)


Could you please provide me with

  1. a time frame when this script last ran (date and time in UTC)
  2. the first two or last two letters of the workspace that this script runs for

I can then identify the workspace from the ones you have access to and I can check our logs for any SSH connections during that time frame.

Kind regards,
Theodora

Denis S. June 5, 2023

Hello @Theodora Boudale 

Sorry for my late answer ...

Indeed, the result of git remote -v is like that

origin git@bitbucket.org:workspace-id/repo.git (fetch)
origin git@bitbucket.org:workspace-id/repo.git (push)

I just launch the script (2023-06-05 8:28 UTC). The script is a simple batch with the command git pull --rebase

The workspace : al***ns / The repository : al**ch

Thanks a lot for your time 

Denis

Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 5, 2023

Hi Denis,

I checked our logs and I can see both SSH connections and also HTTPS connections using OAuth around this time. It looks like both are used in different places.

The majority of the SSH connections come from an OpenSSH client (specifically, OpenSSH_8.2p1) that uses our existing RSA host key. I cannot tell you though if this is used by this script you are running or by another script on a different server.

I suggest checking all servers that clone or pull from any of your repos via SSH and seeing which one uses the client OpenSSH_8.2p1.

You can figure that out by opening a terminal application on a server and running the command

ssh -Tv git@bitbucket.org

The first line of the output will show you the version of the SSH client.

You can then follow on this server the steps outlined in our blog post, in the section WHAT YOU NEED TO DO.

If you have any questions, please feel free to reach out.

Kind regards,
Theodora

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Site Admin
TAGS
AUG Leaders

Atlassian Community Events