git@bitbucket.org: Permission denied (publickey).

webdevep_ru September 23, 2020

The sh-Tv command doesn't work git@bitbucket.org

outstanding result

debug1: /root/.ssh/config line 1: Applying options for bitbucket.org
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to bitbucket.org [18.234.32.157] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/authorized_keys type 0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/authorized_keys-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version conker_c123b90d72-dirty conker-3005
debug1: no match: conker_c123b90d72-dirty conker-3005
debug1: Authenticating to bitbucket.org:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A
debug1: Host 'bitbucket.org' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:DMEUMt83IdFNcKAmA2t/K3EH9lfpjVWijIu0zH8LtlI /root/.ssh/authorized_keys
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
git@bitbucket.org: Permission denied (publickey).

in SSH keys, I created a key and added it to authorized_keys.

also bitbucket.org added to known_hosts.

my config:

Host bitbucket.org
Hostname bitbucket.org
User git
PreferredAuthentications publickey
IdentityFile ~/.ssh/authorized_keys 

 

6 answers

2 accepted

0 votes
Answer accepted
webdevep_ru October 9, 2020

However, I can see that this public SSH key is not associated with any Bitbucket Cloud account.

you mean here? https://take.ms/Y9TXd

what's this for, then? https://take.ms/uVerz

Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 19, 2020

Hello,

Thank you for your reply, I believe I misunderstood the issue. I assumed that you were trying to set up SSH for your Bitbucket Cloud account rather than in Pipelines, since you mentioned issues with the command ssh -Tv git@bitbucket.org. My apologies for the misunderstanding.

For SSH keys in Pipelines, you are right about adding the public SSH key to your server's authorized_keys file, and also updating the known hosts in the SSH keys page of the repository.

I am unsure why you are trying to test connectivity to Bitbucket with the command ssh -Tv git@bitbucket.org. This is a command used to test the SSH connection from your machine to Bitbucket, when you set up SSH for your Bitbucket Cloud account.

If you want to use SSH in your Pipelines build in order to connect to your server, I assume that you want to test the SSH connection from the build to your server? In order to do that, you would need to add in your bitbucket-pipelines.yml file a command like the following:

ssh user@host

where
user replace with the username of the user you connect to in your server
host replace with the IP of your server

Is this something that works for you?

Kind regards,
Theodora

Like grimcap likes this
0 votes
Answer accepted
webdevep_ru October 6, 2020

1.Can you adjust the content of the config file as follows and see if this helps?

didn't help.

ls -ld /root/.ssh

drwx------ 2 root root 4096 Sep 25 17:33 /root/.ssh

 

ssh -Tvvv git@bitbucket.org

OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /root/.ssh/config
debug1: /root/.ssh/config line 1: Applying options for bitbucket.org
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "bitbucket.org" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to bitbucket.org [18.234.32.157] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa_bitbuket type 0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa_bitbuket-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version conker_c123b90d72-dirty conker-3008
debug1: no match: conker_c123b90d72-dirty conker-3008
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to bitbucket.org:22 as 'git'
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /root/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from bitbucket.org
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-dss,ssh-rsa
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /root/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from bitbucket.org
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /root/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys from 18.234.32.157
debug1: Host 'bitbucket.org' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /root/.ssh/id_rsa_bitbuket (0x55a4ee24b1c0), explicit
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:JZ/TMr2RR5jlNqT8ALlT6jK6zUHSCTNr29JiqN4QOmE /root/.ssh/id_rsa_bitbuket
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
git@bitbucket.org: Permission denied (publickey).

 2. Can you perhaps share the public SSH key here, so I can check whether it is uploaded in your Bitbucket Cloud account?

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfJdZ12xmKK4NU2e1MUalmoi0JQr0mGKpqgguKuGUifLE41hc/fnF0BJciX3RaJUSW3N39e1woRfHzNASCMSjMtYrmIA3JrFmh47vx/X8nmpjczJwZJiIvIBSW8YkHbywenSGabQNe22J7rHazJ+6K4S7MOKleR8niJRjO3BGXjpsiE+hcByFHeK5X0XTYXlAqQ1B87NA3HTIL2oHduzyYDq+lLnhb8yIIxZ1UzVBKRHDmk3oruuUhdrEL/ubor7gGMMxftbdt6jwykUtRH79c4poxhT2gWb+nL6mBf/7WgmLwkvQ5QCip86akfOzIUCnWXDSzPkkijH2XLCSUld/zE3HdK20EAdYSLWWrnMlbIFYTV0v474Rpq7vDatD11VyUJULM1HaAudi3Lzl04mUl0LWRcSP1/qOhtSc9dHabpk9+NldChN16tPmVoI1exJpgSZm//Vk2FcW9AzwCFssv3+IU7JGbZYnx0W9/3J/J+2DZpvNWy28bsg2956MDKwz7a5x+vsR8Ho657Pb8rQwO3WJ6EfcPZUW/muHrNN2ESZjkQz+0DPqygFRdz25hze/QVcC8iwKeowMr6CIBYcQXDAS4L7RjaX95RNqTj/gumNqVnfN972dJFpcQZX/3F2uFk8vYvr/n3UGQjY02tFcRzuu0v96gpKeS8tgTv8lLzw== team@webdevep.ru
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 9, 2020

Hello,

Thank you for the info. The permissions for the .ssh directory seem to be ok.

However, I can see that this public SSH key is not associated with any Bitbucket Cloud account.

Can you upload it to your Bitbucket Cloud account and give it another try?

You can upload the key if you:

  1. Log in to https://bitbucket.org/
  2. Select your avatar (bottom left corner) > Personal settings
  3. In the new page that opens, select SSH keys
  4. In there, you can add your public SSH key

Afterwards, you can execute the command ssh -Tvvv git@bitbucket.org again and please feel free to let me know how it goes.

Kind regards,
Theodora

Like m.brehmer likes this
3 votes
Richard Lopez Fulguera February 21, 2021

hi, this config works for me:

[.ssh]$ cat config
Host bitbucket.org
    Hostname bitbucket.org
    IdentityFile ~/.ssh/id_rsa
    PubkeyAcceptedKeyTypes=+ssh-rsa

Mateo Gomez Zuluaga August 5, 2021

That's the trick!

simefield December 4, 2022

Thanks! This got things moving for me, though my third line reads IdentityFile ~/.ssh/id_rsa-user2 as I had to create a second SSH key pair to git clone my repo.

Like Deepak Belwal likes this
0 votes
webdevep_ru October 21, 2020

i try, but it not work https://take.ms/X6xlQ

Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 26, 2020

Hello,

I see in your screenshot that you are using the atlassian/ssh-run pipe.

I can see from a previous screenshot that you updated the known hosts in the repository Settings > SSH keys.

You also mentioned that you have added the public SSH key in the authorized_keys file.

Can you confirm if the public SSH key has been added to the .ssh/authorized_keys files for the user root in your server?

A possible reason for this error would be if the key has been added to .ssh/authorized_keys of a different user instead of root.

Kind regards,
Theodora

webdevep_ru October 27, 2020

I added it to root, I don't have any other users.

Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 30, 2020

Hi @webdevep_ru ,

A few things we can check:

1. Permissions of the .ssh folder and .ssh/authorized_keys file on your server.

Can you set permissions as follows?

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

for the root user on your server

2. The SSH key pair you use, did you generate it from the SSH keys page of the repo?
Or did you generate it in one of your own machines, and then added it in the SSH keys page?

If you generated in one of your own machines, did you create a passphrase?

One possibility is that authentication is failing because the SSH key pair has a passphrase.

Kind regards,
Theodora

0 votes
webdevep_ru September 25, 2020

no, I'm connecting from my server on ubuntu

ssh-add -l

4096 SHA256:fsdfdgdfgfdgdg /root/.ssh/id_rsa_bitbuket (RSA)

accordingly I generated the key in the bitbucket and added it

ssh -Tv git@bitbucket.org

OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /root/.ssh/config
debug1: /root/.ssh/config line 1: Applying options for bitbucket.org
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to bitbucket.org [18.234.32.155] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa_bitbuket type 0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa_bitbuket-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version conker_c123b90d72-dirty conker-3007
debug1: no match: conker_c123b90d72-dirty conker-3007
debug1: Authenticating to bitbucket.org:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A
debug1: Host 'bitbucket.org' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:JZ/TMr2RR5jlNqT8ALlT6jK6zUHSCTNr29JiqN4QOmE /root/.ssh/id_rsa_bitbuket
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
git@bitbucket.org: Permission denied (publickey).

 

ls -lah /root/.ssh/

total 24K
drwx------ 2 root root 4.0K Sep 25 17:33 .
drwx------ 6 root root 4.0K Sep 25 17:24 ..
-rw-r--r-- 1 root root 55 Sep 25 17:29 config
-rw------- 1 root root 3.2K Sep 25 17:33 id_rsa_bitbuket
-rw-r--r-- 1 root root 742 Sep 25 17:33 id_rsa_bitbuket.pub
-rw-r--r-- 1 root root 1.8K Sep 25 17:35 known_hosts
cat /root/.ssh/config

Host bitbucket.org
IdentityFile ~/.ssh/id_rsa_bitbuket
  
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 28, 2020

Hello,

Thank you for your reply.

I can see that now you have an SSH key pair named id_rsa_bitbuket and the file permissions seem to be ok.

1. Can you adjust the content of the config file as follows and see if this helps?

Host bitbucket.org
HostName bitbucket.org
User your-Bitbcuket-username
PreferredAuthentications publickey
IdentityFile /root/.ssh/id_rsa_bitbuket

Replace your-Bitbcuket-username above with your own Bitbucket username.

2. Can you perhaps share the public SSH key here, so I can check whether it is uploaded in your Bitbucket Cloud account?

You can get the contents of the public key with

cat /root/.ssh/id_rsa_bitbuket.pub

If you don't feel comfortable sharing that publicly, please feel free to let me know and I can open a ticket for you with our support team.

3. Could you also please let me know what are the permissions on the .ssh directory?

ls -ld /root/.ssh

4. Can you run the ssh command as follows and share the output? This will give us more verbose output and possibly an indication of what may going wrong.

ssh -Tvvv git@bitbucket.org

Kind regards,
Theodora

0 votes
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 23, 2020

Hello,

If you are trying to connect from your own machine to Bitbucket Cloud (https://bitbucket.org/) you don't need an authorized_keys file. The authorized_keys file is used if you want to connect e.g. to a server of yours via SSH.

For Bitbucket Cloud, if you want to connect an SSH key to your Bitbucket Cloud account, then you add the public key to your Bitbucket account Settings:

  1. After you log in to https://bitbucket.org/, go to your avatar (bottom left corner) > Personal settings
  2. Select SSH keys
  3. Add in there the public SSH key you generated

Is this an action you have performed?

I see in your config the line

IdentityFile ~/.ssh/authorized_keys

Is authorized_keys the name of the SSH key you generated? Or the name of a file you created, containing the public key?

Could you let us know what is the output of

ls -lah /root/.ssh/

so we can see the contents of this folder and also the permissions of the files there?

Kind regards,
Theodora

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events