Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Support for SSH keys secured with security keys

Volodymyr Lantsov
Volodymyr Lantsov
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 2, 2024

Starting from OpenSSH 8.2, SSH keys support an integration with physical security keys (FIDO2 / U2F). There are 2 new SSH key types introduced: "ed25519-sk" and "ecdsa-sk". What this actually means is that you need to have a hardware security key inserted into your USB port and a button on the security key physically pressed in order to use the SSH key.

Currently, Bitbucket does NOT support those keys however OpenSSH 8.2 was introduced back in February 2020.

I'd like to ask Bitbucket staff to consider adding the support for security keys.

I'm leaving some details below.

Example of command to generate a SK-secured SSH key (PowerShell):

ssh-keygen -t ed25519-sk -O resident -O verify-required -O user=personal -C "Personal key (SK)" -f $env:USERPROFILE\.ssh\id_personal_sk

Meaning of some parameters:

-O resident means that a generated key will be stored on the security key itself.

-O verify-required means that you need to verify the security key presence every time we try to use SSH key.

-O user=personal means that a key will be scoped to a user named 'personal'. You can define different names to store multiple SSH keys simultaneously on the same security key.

How final public key looks like:

sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIOMCvBwsYCZPt1HIHAMZzC0zsCXb7t933kAudU8CP7FBAAAABHNzaDo= Personal key (SK)

Thank you for your time!

Answer
Watch
Like JoMi likes this
322 views

1 answer

1 accepted

0 votes
Answer accepted
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 6, 2024

Hi Volodymyr,

Thank you for the feedback. We have a feature request in our issue tracker:

I suggest adding your vote to that feature request (by selecting the Vote for this issue link) as the number of votes helps the product managers better understand the demand for features. You are more than welcome to leave feedback, and you can also add yourself as a watcher (by selecting the Start watching this issue link) if you'd like to be notified via email on updates.

Implementation of features is done as per our policy here and any updates will be posted in the feature request.

Kind regards,
Theodora

View More Comments
manji2k
manji2k
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 17, 2024

Hi,

is it planned to have this support for bitbucket.org as well?  I have the same problem, generated a ssh key with the ed25519-sk extension and the key gets rejected as invalid by bitbucket.

Like
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 18, 2024

Hi,

The feature request I shared in my previous answer, https://jira.atlassian.com/browse/BCLOUD-20297, is for Bitbucket Cloud (bitbucket.org).

This is not supported at the moment in Bitbucket Cloud. when there is an update, it is going to be posted in the feature request.

Kind regards,
Theodora

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events