How to restrict bitbucket server to user+IP

Use case: We have developers in training at our office. They need access to source code so  we'll assign them a PC from which they can pull/push from/to bitbucket server. For security reasons this PC is the only one they can use to work with the source code

Issue: These developers can still go to a different PC and access the source code from bitbucket, since their credentials allow access, as needed per the use case

Question 1: Is there a way we can restrict bitbucket access (both push and pull) for a userid+IP combination: in this way these developers would be able to access the code because they're allowed to (user restriction) but only from the restricted PC (adding IP to authorization)

Question 2: Any other was we can solve the issue in the use case


1 answer

1 accepted

There's nothing in Bitbucket itself to help with this out of the box, but I can think of a few options:

- download the Atlassian Supported SAML add-on, and only let them log in through SAML (don't let them know what their internal password is).

- Use a third-party add-on like Kerberos to handle it

- write a plugin that implements a <servlet-filter> to reject access to certain users from certain IPs on each request. You might have to do something special for SSH - not sure. Maybe an AuthenticationHandler would work too. E.g. an AuthenticationSuccessHandler might be able to log them out if their IP is bad? 

Best of luck!


Thanks Adam.

  • About  authentication tools, we use crowd. Is Atlassian crowd able help here, do you know?
  • About AuthebticationSuccessHandler, could you provide an example of implementation?

I'm not sure if there's anything in Crowd that would help, sorry. is something I think you could use. You can pull the user out of the context ( and then look up the approved IPs for that user. If they don't match, you log them out. I think that might work? But actually I'm no expert on this and could be completely wrong.

Another option might be to look at com.atlassian.bitbucket.internal.ssh.server.DefaultSshAuthenticationHandler in the source code (you can download this if you've purchased a license), and preempt it with an SshAuthenticationHandler of your own that does the same thing, but also checks for IPs before succeeding (and explicitly fails/throws if the IP doesn't match so that the DefaultSshAuthenticationHandler doesn't get a chance to try).

Sorry I can't give you more detailed help - I'm not the best person to be answering this question, I just thought I'd tell you what I know.

Thanks Adam. It's not resolving my issue, but it's the best lead I have.

Suggest an answer

Log in or Join to answer
Community showcase
Piotr Plewa
Published Dec 27, 2017 in Bitbucket

Recipe: Deploying AWS Lambda functions with Bitbucket Pipelines

Bitbucket Pipelines helps me manage and automate a number of serverless deployments to AWS Lambda and this is how I do it. I'm building Node.js Lambda functions using node-lambda&nbsp...

681 views 0 4
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot