How to restrict bitbucket server to user+IP

Use case: We have developers in training at our office. They need access to source code so  we'll assign them a PC from which they can pull/push from/to bitbucket server. For security reasons this PC is the only one they can use to work with the source code

Issue: These developers can still go to a different PC and access the source code from bitbucket, since their credentials allow access, as needed per the use case

Question 1: Is there a way we can restrict bitbucket access (both push and pull) for a userid+IP combination: in this way these developers would be able to access the code because they're allowed to (user restriction) but only from the restricted PC (adding IP to authorization)

Question 2: Any other was we can solve the issue in the use case


1 answer

1 accepted

0 votes
Accepted answer
Adam Ahmed Atlassian Team Nov 10, 2016

There's nothing in Bitbucket itself to help with this out of the box, but I can think of a few options:

- download the Atlassian Supported SAML add-on, and only let them log in through SAML (don't let them know what their internal password is).

- Use a third-party add-on like Kerberos to handle it

- write a plugin that implements a <servlet-filter> to reject access to certain users from certain IPs on each request. You might have to do something special for SSH - not sure. Maybe an AuthenticationHandler would work too. E.g. an AuthenticationSuccessHandler might be able to log them out if their IP is bad? 

Best of luck!


Thanks Adam.

  • About  authentication tools, we use crowd. Is Atlassian crowd able help here, do you know?
  • About AuthebticationSuccessHandler, could you provide an example of implementation?
Adam Ahmed Atlassian Team Nov 10, 2016

I'm not sure if there's anything in Crowd that would help, sorry. is something I think you could use. You can pull the user out of the context ( and then look up the approved IPs for that user. If they don't match, you log them out. I think that might work? But actually I'm no expert on this and could be completely wrong.

Another option might be to look at com.atlassian.bitbucket.internal.ssh.server.DefaultSshAuthenticationHandler in the source code (you can download this if you've purchased a license), and preempt it with an SshAuthenticationHandler of your own that does the same thing, but also checks for IPs before succeeding (and explicitly fails/throws if the IP doesn't match so that the DefaultSshAuthenticationHandler doesn't get a chance to try).

Sorry I can't give you more detailed help - I'm not the best person to be answering this question, I just thought I'd tell you what I know.

Thanks Adam. It's not resolving my issue, but it's the best lead I have.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 06, 2018 in Bitbucket

Upgrade Best Practices

Hello! My name is Mark Askew and I am a Premier Support Engineer for products Bitbucket Server/Data Center, Fisheye & Crucible. Today, I want to bring the discussion that Jennifer, Matt, and ...

1,905 views 7 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you