Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Someone has already added that SSH key to another account

Chris Kitching
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
November 2, 2022

This slightly daft policy is preventing me from adding my SSH key to my account.

 

Please can somebody identify which account is making use of the following public key, and clear it out? I would have asked tech support directly, but apparently that's not a thing. :D

 

It is not clear to me why this policy exists. Public keys are, you know, *public*. One must hold the private key in order to do anything interesting with them. Enforcing uniqueness in this fashion seems misguided (and is an obstacle in situations where "just generate a new keypair" is problematic).

 

2 answers

0 votes
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 3, 2022

@Ben is going to get this sorted for you, so most of what I'd usually say here is not needed.

I wanted to pick up on the theme of "daft".  You're absolutely right about a public key being public - they're fine to share.  But not give them to different owners.  They should have a single owner (account).

The best analogy for this stuff iI have found s a padlock on a box. 

Your public/private keys are not keys, but a padlock and its key.  Your public key is a lock.  You give that to anyone you want - they can then lock up a box with it and send it where-ever, but only you, the owner of the private key, have the key to unlock it.

So, while it's possible for many people to use the key pair, you reduce your security by sharing public keys with many accounts. 

More importantly, you massively reduce trust.  Someone sending you something locked up with your padlock probably has a very good reason to use it, and they *really* would like to know that it is only you, on the intended account, that can open the box they send you.

Enforcing uniqueness by key is something more systems should be doing, it is the right thing to do.

But I would like a feature in Bitbucket to allow admins (rather than just Atlassian) to be able to identify the account that needs to stop sharing keys.

Chris Kitching
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
November 3, 2022

A public key does not enable the creation of cryptographic signatures, only the verification thereof. An encrypted message alone is not proof of identity (that's what signatures are for).

It is simply untrue that a public key enables you to impersonate someone as outlined in your example.

0 votes
Ben
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 3, 2022

Hi Chris,

Welcome to the Bitbucket Cloud community!

I have censored your post as per our policies regarding the protection of user-generated content, given that this is a public forum.

The copied SSH key appears to have been incorrectly formatted so I was unable to search this from my end.

I have opened a support ticket on your behalf - please check your email and we will continue to communicate there :)

Cheers!

- Ben (Bitbucket Cloud Support)

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events