I have a self-hosted BitBucket instance that I do not want accessed via https - all scm access will be via ssh. I've turned off HTTP(S) SCM, which does prevent un-authenticated scm access via https, which works:
fatal: remote error: SCM access over HTTP(S) has been disabled
However, if I attempt to git clone a non-existent repository, I instead get the message
fatal: remote error: Repository not found
The requested repository does not exist, or you do not have permission to
access it.
If I explicitly disable https scm access, why is BitBucket even reporting that the repository doesn't exist? I would have expected the first message (https disabled) instead.
An unauthenticated, random remote user shouldn't be able to confirm the presence/absence of my repositories this way.
Or am I missing something?
Thanks!
I think you've found a legitimate security bug in Bitbucket Server. You can create a new issue in the BSERV Jira tracker: https://jira.atlassian.com/projects/BSERV
Note: sometimes it can take a while before the Bitbucket team completes tickets in that tracker, but they have gotten much better about this over the last couple years.
Actually, this was user error! I didn't realize that Git for Windows had cached the credentials in the Credentials Manager. When those are removed, everything works as expected.
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ah, thanks for clarifying the issue!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.