Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Someone has already added that SSH key to another account

Chris Kitching
Chris Kitching November 2, 2022

This slightly daft policy is preventing me from adding my SSH key to my account.

 

Please can somebody identify which account is making use of the following public key, and clear it out? I would have asked tech support directly, but apparently that's not a thing. :D

 

It is not clear to me why this policy exists. Public keys are, you know, *public*. One must hold the private key in order to do anything interesting with them. Enforcing uniqueness in this fashion seems misguided (and is an obstacle in situations where "just generate a new keypair" is problematic).

 

Answer
Watch
Like Be the first to like this
317 views

2 answers

0 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 3, 2022

@Ben is going to get this sorted for you, so most of what I'd usually say here is not needed.

I wanted to pick up on the theme of "daft".  You're absolutely right about a public key being public - they're fine to share.  But not give them to different owners.  They should have a single owner (account).

The best analogy for this stuff iI have found s a padlock on a box. 

Your public/private keys are not keys, but a padlock and its key.  Your public key is a lock.  You give that to anyone you want - they can then lock up a box with it and send it where-ever, but only you, the owner of the private key, have the key to unlock it.

So, while it's possible for many people to use the key pair, you reduce your security by sharing public keys with many accounts. 

More importantly, you massively reduce trust.  Someone sending you something locked up with your padlock probably has a very good reason to use it, and they *really* would like to know that it is only you, on the intended account, that can open the box they send you.

Enforcing uniqueness by key is something more systems should be doing, it is the right thing to do.

But I would like a feature in Bitbucket to allow admins (rather than just Atlassian) to be able to identify the account that needs to stop sharing keys.

View More Comments
Chris Kitching
Chris Kitching November 3, 2022

A public key does not enable the creation of cryptographic signatures, only the verification thereof. An encrypted message alone is not proof of identity (that's what signatures are for).

It is simply untrue that a public key enables you to impersonate someone as outlined in your example.

Like
Reply
0 votes
Ben
Ben
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 3, 2022

Hi Chris,

Welcome to the Bitbucket Cloud community!

I have censored your post as per our policies regarding the protection of user-generated content, given that this is a public forum.

The copied SSH key appears to have been incorrectly formatted so I was unable to search this from my end.

I have opened a support ticket on your behalf - please check your email and we will continue to communicate there :)

Cheers!

- Ben (Bitbucket Cloud Support)

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events

    See all events