Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

ECDSA host keys keep changing

collinmaessen July 14, 2023

After following the steps in the key changes document: https://bitbucket.org/blog/ssh-host-key-changes

We can still get this error:

Warning: the ECDSA host key for 'bitbucket.org' differs from the key for the IP address '2406:da00:ff00::22c5:2ef4'
Offending key for IP in /srv/httpd/*host*/.ssh/known_hosts:6
Matching host key in /srv/httpd/*host*/.ssh/known_hosts:11

Removing the offending lines solves this for a short time. But then it returns again.

This doesn't happen if we force our git commands to use ipv4, it only happens for traffic over ipv6.

What we want to confirm is the following:

  • That there isn't a key configuration issue for bitbucket over ipv6
  • That nuking the entire known_hosts file will permanently solve this (this is what we're going to try the next time we encounter this).

1 answer

1 accepted

3 votes
Answer accepted
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 14, 2023

Hi @collinmaessen,

The reason that you see this error is that there are entries in your known_hosts using our IPs instead of the domain bitbucket.org.

You can remove them by running

ssh-keygen -R bitbucket.org && sed -i.old -e '/AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/d' /srv/httpd/*host*/.ssh/known_hosts && curl https://bitbucket.org/site/ssh >> /srv/httpd/*host*/.ssh/known_hosts

You could also delete and recreate the known_hosts file and then copy and paste into the new file the entries from https://bitbucket.org/site/ssh. However, if you connect to other hosts via SSH as well from this machine, and you have their host keys in the known_hosts, then deleting the known_hosts file will affect the SSH connections to these hosts as well. The next time you connect to such a host via SSH you will see a prompt with the host's fingerprint, asking you if you trust the host, so that its host key gets added to known_hosts.

Kind regards,
Theodora

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Site Admin
TAGS
AUG Leaders

Atlassian Community Events