Bitbucket recently updated their SSH host keys, as detailed here: https://bitbucket.org/blog/ssh-host-key-changes
My team has a custom application that regularly pulls from a Bitbucket repo, and a lot of our PCs use SSH to do so.
Due to an oversight by my team, we did not update the known hosts for those PCs before the key rotation took place on June 20. As a result, all the PCs that use SSH can no longer update from the repo. They get a message that says "Remote host identification has changed" and "Fatal: Could not read from remote repository." We would like to update our application to automatically add the new keys to known_hosts, but since the application's binary files also exist in that repo, there is currently no way for us to automatically update all PCs.
Is there a way to temporarily bypass this in our repo, maybe by temporarily allowing access with SHA256? That way we can update our application so it adds the new key to known_hosts. Afterward, we can re-enable the feature that blocks access with SHA256.
Alternatively, if people have a better suggestion, please let me know.
Hi Nathan!
I'm not sure what you mean by "access with SHA256". Are you referring to the RSA host key of Bitbucket Cloud?
Even though we introduced two new host keys using the ECDSA and Ed25519 algorithms, we still have an RSA host key.
However, the RSA host key was replaced with a new one on 20th June 2023. It will not be possible for a client to establish the authenticity of Bitbucket Cloud using the old RSA key since it is no longer there. The known hosts for these PCs will need to be updated so that they can connect to Bitbucket Cloud.
If you are using OpenSSH or a compatible client, you can follow the instructions on the blog on how to update the known hosts.
We also have the following FAQ page that has some questions and answers about some other SSH clients:
Kind regards,
Theodora
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.