I have an evaluation Stash instance that has somehow gotten into a state where every user is authenticated as me, regardless of whether they have a valid public key.
I don't know enough about how Stash's SSH server works but I stumbled this page which says that the "whoami" command is available, so I created a fresh repo and logged in from a clean Linux machine:
# ssh -p 8022 git@git-server whoami ethan
Not only does it allow me to log in (which it shouldn't), the whoami command returns my username.
This is on a completely clean machine - I picked a random Linux computer in the office and ran this command. That machine has an SSH key pair that has never been used in Stash.
Here's what led up to this problem, as far as I can tell...
This problem began when I created a repo Access Key. I then realized I'd rather have a project-level Access Key, so I deleted the repo one and added the same one as a project Access Key. All was well until I made some changes and pushed, only to realize that I shouldn't have been able to push ... but I could. This was in Stash 2.9, so I thought it might have to do with the new "Read" vs. "Read/Write" option in 2.12, so I upgraded to Stash 2.12.
In Stash 2.12, I removed the key and recreated it with explicit "Read" permissions. I could still push. So I deleted the key alltogether and I could STILL push.
I removed all keys from the offending computer and I could still push. Finally I created a fresh repo, switched to an entirely different client computer, and the problem still occurs. Basically my whole GIT server is currently world-writable (within my LAN, at least) due to this problem.
Can I get any help debugging this issue?
I actually figured out what was happening. My SSH client, SecureCRT, has a checkbox for "Enable OpenSSH agent forwarding" that is selected by default. I only discovered after using "ssh -vvvv" to view debugging details about login that my local instance of Pageant was silently authenticating me via this forwarding mechanism. Thus, this is not a real problem with Stash. I apologize for the false accusations!
This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.Read more
Bitbucket Pipelines helps me manage and automate a number of serverless deployments to AWS Lambda and this is how I do it. I'm building Node.js Lambda functions using node-lambda ...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs