Serious security problem with SSH

I have an evaluation Stash instance that has somehow gotten into a state where every user is authenticated as me, regardless of whether they have a valid public key.

I don't know enough about how Stash's SSH server works but I stumbled this page which says that the "whoami" command is available, so I created a fresh repo and logged in from a clean Linux machine:

# ssh -p 8022 git@git-server whoami
ethan

Not only does it allow me to log in (which it shouldn't), the whoami command returns my username.

This is on a completely clean machine - I picked a random Linux computer in the office and ran this command. That machine has an SSH key pair that has never been used in Stash.

Here's what led up to this problem, as far as I can tell...

This problem began when I created a repo Access Key. I then realized I'd rather have a project-level Access Key, so I deleted the repo one and added the same one as a project Access Key. All was well until I made some changes and pushed, only to realize that I shouldn't have been able to push ... but I could. This was in Stash 2.9, so I thought it might have to do with the new "Read" vs. "Read/Write" option in 2.12, so I upgraded to Stash 2.12.

In Stash 2.12, I removed the key and recreated it with explicit "Read" permissions. I could still push. So I deleted the key alltogether and I could STILL push.

I removed all keys from the offending computer and I could still push. Finally I created a fresh repo, switched to an entirely different client computer, and the problem still occurs. Basically my whole GIT server is currently world-writable (within my LAN, at least) due to this problem.

Can I get any help debugging this issue?

2 answers

0 votes
Jason Hinch Atlassian Team Apr 16, 2014

Hi Ethan. would you please create an issue on https://support.atlassian.com. This will allow us to dig into your problem.

I actually figured out what was happening. My SSH client, SecureCRT, has a checkbox for "Enable OpenSSH agent forwarding" that is selected by default. I only discovered after using "ssh -vvvv" to view debugging details about login that my local instance of Pageant was silently authenticating me via this forwarding mechanism. Thus, this is not a real problem with Stash. I apologize for the false accusations!

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 06, 2018 in Bitbucket

Upgrade Best Practices

Hello! My name is Mark Askew and I am a Premier Support Engineer for products Bitbucket Server/Data Center, Fisheye & Crucible. Today, I want to bring the discussion that Jennifer, Matt, and ...

447 views 6 9
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you