We have been using command line Git for months, but now apparently have to switch things to using an app password. The instructions for creating an app password were clear enough (https://bitbucket.org/blog/deprecating-atlassian-account-password-for-bitbucket-api-and-git-activity), but it's not at all clear what we're supposed to do with them once generated.
Our team is on Windows, if that matters. We're not using any GUIs or tools... just command line, and we've not had to touch passwords or authentication of any sort since we started. None of us remember the mechanics.
Help?
When it was all said and done, it required that I update the contents of my _netrc file (found in C:\users\account_name\).
Honestly, I absolutely hate this app password thing.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Why I can't upvote this?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Likewise.
I could tolerate the requirement to use app passwords if bitbucket provided clear documentation on how to use them. But that clarity is entirely absent.
Additionally, app passwords appear to be absolutely required in cases where they aren't needed at all.
Atlassian has dropped the ball here.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Well, I got it to work the only way I could…by storing the app password in the clear in the git config. Certainly not ideal but atleast I can use git again.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Did they do this so that you don't expose your bitbucket login (administrative) password to the git application? I the the security risk there is that git could mirror passwords off to hackers.
Assuming a GIT version you received was not through a reputable install system?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
G'day John!
Once you have generated the App Password in Personal Settings > App Password:
git remote set-url origin https://USERNAME:APP_PASSWORD@bitbucket.org/workspaceID/reposlug.git
git clone https://USERNAME:APP_PASSWORD@bitbucket.org/workspaceID/reposlug.git
Hope this helps.
Cheers!
- Ben (Bitbucket Cloud Support)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Well, it helps some, but it's not quite what I was looking for.
Since GIT was set up for us, we've never had to do any sort of authentication. It's all happened somewhat behind the scenes for each of us. All we enter is "git this" or "git that". How do we make this new app password work for us the same way?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Should I store my app password on an arbitrary computer? It is not safe. Why are you forcing us to do this?
Please explain if it is possible to continue using Attlassian Git safely on the command line with my password? If not, please report us immediately! We will be moving.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey John,
The App Password only needs to be configured once in the git remote configuration as described above. Once this has been configured, git pull/push will function as normal and won't need any extra commands to be added.
You will only need to use the App Password explicitly when performing a git clone in the format described above.
The removal of account password usage for Basic authentication when using Git over HTTPS and/or the Bitbucket Cloud REST API is due to Bitbucket Cloud's ongoing effort to align with internal infrastructure and improve Atlassian account security. App passwords are substitute passwords for a user's account and are designed to be used for a single purpose with limited permissions.
By replacing the usage of account passwords with app passwords for Git over HTTPS and/or the Bitbucket Cloud REST API, we are able to improve account security given the fact that app passwords are single-use, have limited permissions, and can be easily and quickly revoked.
I would suggest storing the App Password in a location that is not shared by other users, using a password manager application.
If you do not believe that App Password is secure, you have the option to use SSH for authentication instead with a keypair instead of a username/password or App Password combination:
https://support.atlassian.com/bitbucket-cloud/docs/configure-ssh-and-two-step-verification/
Hope this helps.
Cheers,
Ben (Bitbucket Cloud Support)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey John,
To work on other pc's you will indeed need to save configuration on these machines to do so. This is because the local configuration on any given pc first needs to know how to locate the repository you are connecting to and which authentication method to use.
For HTTPS you will need to update the remote URL's as specified above.
For SSH, you will need to transfer your private/public key files to this new pc. SSH allows you to secure the keys with a passcode however, which will prevent unauthorized access by other users unless they know what this passcode is.
To move an SSH key you simply need to move the ~/. ssh folder to the new machine and run ssh-add command to load this into your ssh-agent.
More information here:
https://support.atlassian.com/bitbucket-cloud/docs/set-up-an-ssh-key/
If you were to move to a new pc even using the old username/password basic auth method, you would still need to configure the remote URL's so git would know where to communicate with the repository, as aforementioned above.
For your use case, I believe SSH is the most viable as the passphrase adds an extra layer of security similar to the basic password you were using previously to authenticate.
Cheers!
- Ben (Bitbucket Cloud Support)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I tried Ben's recommendation, but I still receive error when cloning: "The requested repository either does not exist or you do not have access...".
I did verify that my App Password has all privileges checked.
I also tried with credential manager turned off completely. And I can connect just fine with GitHub Desktop, however. :/
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Update: Got it going by using jopauljn's advice: Use WORKSPACE in repo path, not username as show in Ben's comment.
So... my advice is to be very careful to use Username (not App Label) colon App Password (not username's password), and use Workspace in repo path, not Username.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Who makes decisions for this kind of stuff there at Atlassian. You are going down stupid rabbit holes.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Wow, how bad that is! We are forced to keep an authentication key locally! Or how to reverse the progress.
If at least, we could define the app password and not generate it...
I hope we all find another repo provider.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey this helped me to clear authentication for doing Git ops like "git pull origin master"
git remote set-url origin https://USERNAME:APP_PASSWORD@bitbucket.org/WORKSPACE/REPO.git
Refer to the below article for more clarity!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
fyi, if you're having trouble finding your WORKSPACE, navigate to the url of your repository, for me it was the same as my username ie:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I don't want to use these app passwords.
Atlassian / Bitbucket scored massive bad points on this one for me.
My gut is telling me bad intent involved, most likely in the realm of more control for them, tracking, locking people out in the future and so on.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Atlassian, good job on screwing up my productive day. Waste of time!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
So the "password" is stored in clear text ??
WOW
Sounds like a very good reason to finally do the migration github.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I found that allowing Windows to prompt for a password would 100% not accept the App password (nor the user password, obviously, since user passwords are no longer accepted...)
The only thing that worked was putting the app password into the url:
https://GIT_USER:APP_PASSWORD@...
(Not required on Linux or MacOS).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Of coz, we all know that saving a string of meaningless garbage in local can make your account safer.
But as a human being, I still prefer passwords in my brain with a 2FA, or more customizable app password
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Atlassian, good job on screwing up my productive day. Waste of time!
Everything stopped working on the build server. We can't release our software!
Where are the plain step-by-step instructions??? Why I should hunt for it? What a mess!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This is what you need to do for migration:
1. Generate AppPAssword in personal settings per Atlassian instructions.
2. Delete the existing repository local folder.
3. Run: git clone https://your_user@bitbucket.org/your_org/your_repo.git
when it will prompt a login dialog, provide AppPassword from step 1.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
So what happens, as is the case with me, when you have a bunch of local changes that you are trying to push but are suddenly faced with the "Fatal task" error message, indicating an app password is required? I set up an app password and tried to do the push, was prompted for my password but the app password didn't work.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We did setup a new SSH key locally. And saved the pub key in public. Now, when we try to clone the repost, it shows the following error.
The requested repository either does not exist or you do not have access. If you believe this repository exists and you have access, make sure you're authenticated.
fatal: Could not read from remote repository.
As, we are sure that the repository exists and ssh agent has loaded the key too. But still cloning is not working.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi there,
I would recommend referring to our documentation for troubleshooting this further - this will provide steps to try for common issues:
https://support.atlassian.com/bitbucket-cloud/docs/troubleshoot-ssh-issues/
Cheers!
- Ben (Bitbucket Cloud Support)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.