Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,464,823
Community Members
 
Community Events
176
Community Groups

How do I use the new app password for command line Git?

We have been using command line Git for months, but now apparently have to switch things to using an app password. The instructions for creating an app password were clear enough (https://bitbucket.org/blog/deprecating-atlassian-account-password-for-bitbucket-api-and-git-activity), but it's not at all clear what we're supposed to do with them once generated.

Our team is on Windows, if that matters. We're not using any GUIs or tools... just command line, and we've not had to touch passwords or authentication of any sort since we started. None of us remember the mechanics.

Help?

11 answers

1 accepted

0 votes
Answer accepted

When it was all said and done, it required that I update the contents of my _netrc file (found in C:\users\account_name\).  

Honestly, I absolutely hate this app password thing.

Why I can't upvote this?

Like # people like this

Likewise.

I could tolerate the requirement to use app passwords if bitbucket provided clear documentation on how to use them. But that clarity is entirely absent.

Additionally, app passwords appear to be absolutely required in cases where they aren't needed at all.

Atlassian has dropped the ball here.

Like # people like this

Well, I got it to work the only way I could…by storing the app password in the clear in the git config. Certainly not ideal but atleast I can use git again.

Like Ralf likes this

Did they do this so that you don't expose your bitbucket login (administrative) password to the git application? I the the security risk there is that git could mirror passwords off to hackers.

Assuming a GIT version you received was not through a reputable install system?

G'day John!

Once you have generated the App Password in Personal Settings > App Password:

  • Essentially, when connecting via HTTPS you will use your AppPassword alongside your username separated with a ":" character.
  • Therefore if you are authenticating to GIT over HTTPS to push/pull you will need to update your remote URL's to include the App Password:
    git remote set-url origin https://USERNAME:APP_PASSWORD@bitbucket.org/workspaceID/reposlug.git
  • The same applies when performing git clone:
    git clone https://USERNAME:APP_PASSWORD@bitbucket.org/workspaceID/reposlug.git

Hope this helps.
Cheers!

- Ben (Bitbucket Cloud Support)

  

Well, it helps some, but it's not quite what I was looking for.

Since GIT was set up for us, we've never had to do any sort of authentication. It's all happened somewhat behind the scenes for each of us. All we enter is "git this" or "git that". How do we make this new app password work for us the same way?

Should I store my app password on an arbitrary computer? It is not safe. Why are you forcing us to do this?

 

Please explain if it is possible to continue using Attlassian Git safely on the command line with my password? If not, please report us immediately! We will be moving.

Like # people like this
Ben Atlassian Team Feb 27, 2022

Hey John,

The App Password only needs to be configured once in the git remote configuration as described above. Once this has been configured, git pull/push will function as normal and won't need any extra commands to be added.
You will only need to use the App Password explicitly when performing a git clone in the format described above.

The removal of account password usage for Basic authentication when using Git over HTTPS and/or the Bitbucket Cloud REST API is due to Bitbucket Cloud's ongoing effort to align with internal infrastructure and improve Atlassian account security. App passwords are substitute passwords for a user's account and are designed to be used for a single purpose with limited permissions.

By replacing the usage of account passwords with app passwords for Git over HTTPS and/or the Bitbucket Cloud REST API, we are able to improve account security given the fact that app passwords are single-use, have limited permissions, and can be easily and quickly revoked.

I would suggest storing the App Password in a location that is not shared by other users, using a password manager application.

If you do not believe that App Password is secure, you have the option to use SSH for authentication instead with a keypair instead of a username/password or App Password combination:
https://support.atlassian.com/bitbucket-cloud/docs/configure-ssh-and-two-step-verification/

Hope this helps.

Cheers,

Ben (Bitbucket Cloud Support)

How can I work on other computers?
Like Cory Root likes this
How can I work on other computers? Should I create and save access to my repositories on every other computer? I don't want to do it?
Like Cory Root likes this
Ben Atlassian Team Feb 28, 2022

Hey John,

To work on other pc's you will indeed need to save configuration on these machines to do so. This is because the local configuration on any given pc first needs to know how to locate the repository you are connecting to and which authentication method to use. 

For HTTPS you will need to update the remote URL's as specified above.

For SSH, you will need to transfer your private/public key files to this new pc. SSH allows you to secure the keys with a passcode however, which will prevent unauthorized access by other users unless they know what this passcode is.
To move an SSH key you simply need to move the ~/. ssh folder to the new machine and run ssh-add command to load this into your ssh-agent.
More information here:
https://support.atlassian.com/bitbucket-cloud/docs/set-up-an-ssh-key/ 

If you were to move to a new pc even using the old username/password basic auth method, you would still need to configure the remote URL's so git would know where to communicate with the repository, as aforementioned above.
For your use case, I believe SSH is the most viable as the passphrase adds an extra layer of security similar to the basic password you were using previously to authenticate.

Cheers!

- Ben (Bitbucket Cloud Support)

Like Felipe Vieira Cortes likes this

I tried Ben's recommendation, but I still receive error when cloning: "The requested repository either does not exist or you do not have access...".

I did verify that my App Password has all privileges checked.

I also tried with credential manager turned off completely. And I can connect just fine with GitHub Desktop, however. :/

Update: Got it going by using jopauljn's advice: Use WORKSPACE in repo path, not username as show in Ben's comment.

So... my advice is to be very careful to use Username (not App Label) colon App Password (not username's password), and use Workspace in repo path, not Username.

Wow, how bad that is! We are forced to keep an authentication key locally! Or how to reverse the progress.

If at least, we could define the app password and not generate it...

I hope we all find another repo provider.

Hey this helped me to clear authentication for doing Git ops like "git pull origin master"

git remote set-url origin https://USERNAME:APP_PASSWORD@bitbucket.org/WORKSPACE/REPO.git

Refer to the below article for more clarity!

https://community.atlassian.com/t5/Bitbucket-articles/Announcement-Bitbucket-Cloud-account-password-usage-for-Git-over/ba-p/1948231

This worked for me! Thanks so much @jopauljn 

fyi, if you're having trouble finding your WORKSPACE, navigate to the url of your repository, for me it was the same as my username ie:

https://bitbucket.org/WORKSPACE/REPO/src/master/

I don't want to use these app passwords.
Atlassian / Bitbucket scored massive bad points on this one for me.

My gut is telling me bad intent involved, most likely in the realm of more control for them, tracking, locking people out in the future and so on.

Atlassian, good job on screwing up my productive day. Waste of time! 

So the "password" is stored in clear text ??

WOW

Sounds like a very good reason to finally do the migration github.

I found that allowing Windows to prompt for a password would 100% not accept the App password (nor the user password, obviously, since user passwords are no longer accepted...)

The only thing that worked was putting the app password into the url:

 

https://GIT_USER:APP_PASSWORD@...

 (Not required on Linux or MacOS).

Of coz, we all know that saving a string of meaningless garbage in local can make your account safer.

But as a human being, I still prefer passwords in my brain with a 2FA, or more customizable app password

Atlassian, good job on screwing up my productive day. Waste of time! 
Everything stopped working on the build server. We can't release our software!
Where are the plain step-by-step instructions??? Why I should hunt for it? What a mess!  

This is what you need to do for migration:

1. Generate AppPAssword in personal settings per Atlassian instructions.
2. Delete the existing repository local folder.
3. Run: git clone https://your_user@bitbucket.org/your_org/your_repo.git
when it will prompt a login dialog, provide AppPassword from step 1.

Like Annarita Buonaura likes this

So what happens, as is the case with me, when you have a bunch of local changes that you are trying to push but are suddenly faced with the "Fatal task" error message, indicating an app password is required? I set up an app password and tried to do the push, was prompted for my password but the app password didn't work. 

Like apersaud12 likes this

We did setup a new SSH key locally. And saved the pub key in public. Now, when we try to clone the repost, it shows the following error.

The requested repository either does not exist or you do not have access. If you believe this repository exists and you have access, make sure you're authenticated.
fatal: Could not read from remote repository.

As, we are sure that the repository exists and ssh agent has loaded the key too. But still cloning is not working. 

Ben Atlassian Team Apr 18, 2022

Hi there,

I would recommend referring to our documentation for troubleshooting this further - this will provide steps to try for common issues:
https://support.atlassian.com/bitbucket-cloud/docs/troubleshoot-ssh-issues/

Cheers!

- Ben (Bitbucket Cloud Support)

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events