Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

OpenSSH 8.7 and ssh-rsa host key

Hi,

OpenSSH disabled the ssh-rsa signature scheme and now when I want to push/pull to/from my repositories I receive the following error:

Unable to negotiate with 104.192.141.1 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

What can I do to make it work?

8 answers

1 accepted

14 votes
Answer accepted

This worked for me:

Host bitbucket.org
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

~/.ssh/config

Well, although this works, this is a workaround, rather than a solution. There is a very good security reason, OpenSSH (finally) disabled ssh-rsa (which is based on SHA-1, theoretially broken 2004, practially broken 2017, cheaply broken 2020 )

The solution is for bitbucket to allow up-to-date hash algorithms.

See my related question.

Like # people like this

@joel_kuepper are you having trouble adding keys with newer hashing algorithms? Support for ECDSA and ED25519 SSH keys was added in August 2016 - https://bitbucket.org/blog/ssh-improvements-bitbucket-cloud
Or, is it a different one other than ECDSA or ED25519 that you're looking for?

//Edit: Ah, I see the issue. Bitbucket Cloud is not offering a new algorithm for the host key.

Like # people like this

@Jeff Thomas Yes, you are correct, I am referring to the host key algorithm. So what happens now that you are aware of this?

(When) can we expect Bitbucket to offer new hash algorithms (in the coming days, weeks, months)?

@Jeff Thomasplease fix ASAP, any day now and when ubuntu/windows update openssh this issue will really explode

Like joel_kuepper likes this

I'm not from the Bitbucket Cloud team, but that team is aware of the issue. 

Like # people like this

Helped me a lot, thanks ser!

Like renehamburger likes this

Gracias Hermano !! Esto si que me ayudo !!!
Thanks Carlos,Helped me a lot !!!

Like carlos_perez-lopez likes this

This helped. Would be good to allow newer algos, I have to use newer algos with other tools so I have to balance multiple keys until this is solved.

Just FYI, if you did not follow the issue-tracker; it is solved now. You can remove the +ssh-rsa entry from the config file

3 votes

Bitbucket have had a long time to support other keys. AWS also has lagged here but for authentication public keys (not host keys) but now supports ED25519.

Bitbucket has just stood there and done absolutely nothing and the only way to use it now is to lower the security of your system.

If you apply the security degrading workaround make sure it is JUST for the bitbucket.org host and not everything.

Hopefully this will help organisations break the "well its free with Jira so let's just use it" way of thinking and move to a real Git hosting provider.

1 vote

LMAO how is this not fixed yet?! 1 week away from this issue turning a month old putting aside the enormous complacency that led to this debacle in the first place.

1 vote

Hi everyone,

One of our engineering managers has published a community article with more info on the issue as well as workarounds:

The Bitbucket team is working on adding the updated signature support to our SSH server and we will provide another update once these changes have been implemented.

If you'd like to get notified on updates, you can watch either the community article or this BCLOUD ticket.

Kind regards,
Theodora

1 vote

As of 2021-10-01 I cannot connect to Bitbucket via SSH without re-enabling ssh-rsa after updates on Arch Linux. It's absolutely ridiculous, that I just went through the support article recommending to use ed25519 key and finding out that Bitbucket does not accept ed25519 :-D

Atlassians, please fix this.

Unable to negotiate with 104.192.141.1 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

Did you try the config change from my comment above? I'm also using Arch and ED25519 is working, but I had to add the `HostKeyAlgorithms +ssh-rsa` line to my `~/.ssh/config` file for bitbucket.org in order for it to work.

@marcusball Didn't work on windows

I just started getting this issue today, as well. This seems absolutely ridiculous that Bitbucket hasn't upgraded to support any of the new SSH key types yet.

Exactly. But GitLab offers a nice migration tool. I just moved my repos over there.

Like Pedro Fonini likes this

Unfortunately this is my company's repo; I'd move it over in a heartbeat if it wouldn't mean migrating everyone else and the various connected services.

Like joel_kuepper likes this

 

Okay, I think I figured out a solution. I used some of the SSH config change from this answer, and created a new SSH key based on this article.

Basically, I made a new key using ED25519 (`ssh-keygen -t ed25519`), added it to my Bitbucket profile, and added ssh-rsa to the HostKeyAlgorithms in `~/.ssh/config`:

Host bitbucket.org
User git
IdentityFile ~/.ssh/id_ed25519
HostKeyAlgorithms +ssh-rsa
Like # people like this

I hope you know what that means. OpenSSH disabled this insecure algorithm, and you explicitly enable it again. This should not be a long-term solution imo, but we can only wait for bitbucket to fix this.

On OpenBSD 6.9, OpenSSH 8.6 this problem does not exist. On my laptop I'm on OpenBSD-current, which now uses OpenSSH 8.7 and I think it's because they made this change:

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1
hash algorithm in conjunction with the RSA public key algorithm.
It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K.

Note that the deactivation of "ssh-rsa" signatures does not necessarily
require cessation of use for RSA keys. In the SSH protocol, keys may be
capable of signing using multiple algorithms. In particular, "ssh-rsa"
keys are capable of signing using "rsa-sha2-256" (RSA/SHA256),
"rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of
these is being turned off by default.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs that is still
enabled by default.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
   algorithms have the advantage of using the same key type as
   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
   supported since OpenSSH 7.2 and are already used by default if the
   client and server support them.

 * The RFC8709 ssh-ed25519 signature algorithm. It has been supported
   in OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:

    ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.

OpenSSH recently enabled the UpdateHostKeys option by default to
assist the client by automatically migrating to better algorithms.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf

https://www.openssh.com/txt/release-8.7

Facing the same issue here. Not sure if the fact that I heavily rely on the .ssh/config file helps on make this issue happen.

Me too, I added

HostbasedAcceptedAlgorithms +ssh-rsa

but it didn't help.

Wondering about migrating my repos to GitHub. This issue does not exist there.

I made a quick research and sounds like the issue when using OpenSSH >= 8.5

If you're using an OS that already upgrade to this version (or higher) the best solution for now is creating Access Tokens and updating the remote URL address to HTTP format

Maybe it's because of the change they mention here: https://www.openssh.com/txt/release-8.7

Like joel_kuepper likes this

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket

New improvements to user management in Bitbucket Cloud 👥

Hey Community! We’re willing to wager that quite a few of you not only use Bitbucket, but administer it too. Our team is excited to share that we’ll be releasing improvements throughout this month of...

4,320 views 11 16
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you