Login/Register
BitBucket: Host key verification failed
Asked Answered
Solved gitauthenticationsshbitbucket
T

11

108

I want to clone a remote repository to my local machine. I used the command: 

git clone [email protected]:<username>/<repo_name>.git

and I got the message:

The authenticity of host 'bitbucket.org (104.192.143.3)' can't be
established. RSA key fingerprint is
SHA256:****. Are you sure you
want to continue connecting (yes/no)?  Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights and the repository
exists.

I just want to mention that I already took care of the ssh issues. I generated an ssh key by the command 'ssh-keygen' and I copied the contents of ~/.ssh/id_rsa.pub to Bitbucket Settings -> SSH keys (according to this link: https://confluence.atlassian.com/bitbucket/set-up-ssh-for-git-728138079.html)

I also looked at my "user and group access" and I saw this:

enter image description here

Can you advise me what to do?

Together answered 13/11, 2016 at 17:27 Comment(6)
Have you checked permissions on this project?Subscapular
How do I check it? Is it Settings -> Branch Permissions ?Together
No. Go to the repository -> Settings -> User and groups accessSubscapular
I added the screenshot to the original postTogether
"Host key verification failed"!!!Tryptophan
@Jakuje, OK... what do I have to do?Together
T
146

The message says

Host key verification failed.

nothing about authentication, so you are working on the wrong field. It means that the host key of the bitbucket.org is not in your ~/.ssh/known_hosts and your client does not have any way how to verify it. It was answered many times how to workaround it, but how to do it properly?

There is section in the bitbucket manuals, describing how their public keys and fingerprint looks like. So:

  1. Run ssh bitbucket.org

  2. It will prompt you with one of the fingerprints:

    The authenticity of host 'bitbucket.org (104.192.143.3)' can't be established.
RSA key fingerprint is SHA256:*****.
Are you sure you want to continue connecting (yes/no)?

  3. You verify the fingerprint in the prompt is the same as on the bitbucket website:

    SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A bitbucket.org (RSA)

  4. You write yes and press enter to verify the connection works.

Or just copy the public key from the bitbucket website directly in the ~/.ssh/known_hosts file

echo "bitbucket.org,104.192.143.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==" >> ~/.ssh/known_hosts

if nothing from the above helps, please run ssh -vvv bitbucket.org and post the output to the edited question.

Tryptophan answered 13/11, 2016 at 20:44 Comment(6)
When I type: "ssh bitbucket.org" I get: The authenticity of host 'bitbucket.org (104.192.143.3)' can't be established. RSA key fingerprint is SHA256:*****. Are you sure you want to continue connecting (yes/no)? yes Host key verification failed.Together
"2. It will prompt you with one of the fingerprints" = "RSA key fingerprint is SHA256:*****." (from the link in the post).Tryptophan
Sadly, the website you link to has no mention of zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A anymore. However, it is still right. So, your answer has become canon.Keyway
@BrunoBronosky the public key fingerprints are still available on the BitBucket website, which also has some further details.Sholley
Thanks, @Alex. I added the new URL to the answer.Keyway
I updated the link again; the original one only has MD5, not SHA-256. I finally find the answer thanks to this Q&A. Bitbucket is good at hiding the SSH keys, which doesn’t sound right; the SSH key should be well-known for SSH trust model to work. It should be the first result from Googling “Bitbucket host key”. In contrast, GitHub public key is typically the first result.Whallon
Q
78

Update May/June 2023:

ACTION REQUIRED: Update your Bitbucket Cloud SSH Host Keys

New host keys added

  • On May 15, 2023 2300 UTC we added two new host keys using the ECDSA and Ed25519 algorithm
  • On June 20, 2023 1700 UTC we will replace our current RSA host key
  • On June 20, 2023 1700 UTC we will also remove our DSA host key; this key will stop working entirely.

So... TLDR; (even on Windows):

ssh-keygen -R bitbucket.org && curl https://bitbucket.org/site/ssh >> ~/.ssh/known_hosts

Note: Before June, the content of https://bitbucket.org/site/ssh is still the old keys.

That will add the new official keys from Bitbucket to your ~/.ssh/known_hosts:

bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=

bitbucket.org ssh-dss AAAAB3NzaC1kc3MAAACBAO53E7Kcxeak0luot3Z5ulOQJoLRBcnBQb0gpUfNL5rZW63fBubfXLbpZc2/GnHxRiFa2okTPvBULJZnjwXltyoRfjPICRLfH/ep3mZj6CVUyQgxES27CS1bEjMw8+S6hLlJF4dKqOIWH5+Ed+lo8ezzXbzcEj7R5h9xGgfY55HfAAAAFQDE/aqj+0sxv/ZRS3ArGxMHGYFebwAAAIEA6lZ68WgDMrR28iXIicJ7AnXPnZKzQK7xK68feKlYo9LcEkKTF3AZIE5nEvtn+ZYwZ5cKE3XKeU42aesAEAUxX9cUEzhi87q6PQagD6ZPcU89CCVlWsG8cKYCZ6VtMfcLU06grNfvl450KCHltWTaoBHdi9f8eFo3Gydg6JhyNJ8AAACAThcLJmru5QtpHo9wctg5jHKxv1BLPndKs3dVwAQwcd2sugoymGeH7IjBSFLqHsyl7XpDik4mH/YdkVwb1jAwA+JOu2gHpsSXLY22At+LKn6NHdL/qqbIf7ellnKXfEo+wz6DfGihaczY931WrjkEEsq1453/4BwQpAXrz2zbRSI=

bitbucket.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIQmuzMBuKdWeF4+a2sjSSpBK0iqitSQ+5BM9KhpexuGt20JpTVM7u5BDZngncgrqDMbWdxMWWOGtZ9UgbqgZE=

bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO

Why?

We recently learned that encrypted copies of Bitbucket’s SSH host keys were included in a data breach of a third-party credential management vendor.

The SSH protocol uses host keys to establish the identity of a trusted server for every SSH connection, like when a git pull establishes a SSH connection to Bitbucket Cloud.

Though we believe the risk of compromise is low, by rotating the host keys proactively we are mitigating future risk should the old host keys be decrypted.

If we did not change the host keys it might have been possible in the future for a threat actor to potentially use the old host keys in combination with an already compromised network to trick clients into connecting to and trusting a malicious host.

Čamo notes int he comments that if you still have the error:

Warning: the ECDSA host key for 'bitbucket.org' differs from the key for the IP address '104.192.141.1

Then you can, as in this thread do:

We had to add a newline to the end of the curl command that was provided in the guide.

The warning message you are receiving is likely related to old entries on your known_hosts file that are pointing to the Bitbucket IP, instead of the domain name bitbucket.org.

To resolve this issue, you can remove the older entries and store the new ones using the following command :

ssh-keygen -R bitbucket.org && sed -i.old -e '/AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/d' ~/.ssh/known_hosts && curl https://bitbucket.org/site/ssh >> ~/.ssh/known_hosts

Quantity answered 16/5, 2023 at 18:19 Comment(6)
Just a note for Windows users. I had to put the keys here: C:\Windows\System32\config\systemprofile\.ssh\known_hostsArabist
@Arabist Only if you are using an Administrator account, as seen here. $HOME is set to %USERPROFILE%, so make sure to use a regular account.Quantity
I did all what is in the documentation. But I am getting an error: Warning: the ECDSA host key for 'bitbucket.org' differs from the key for the IP address '104.192.141.1'Robet
@Čamo Make sure you have run ssh-keygen -R bitbucket.org and that you do not see any reference to bitbucket in ~/.ssh/known_hosts: open the file and check. Then add the new keys.Quantity
I found solution here community.atlassian.com/t5/Bitbucket-questions/…Robet
@Čamo Thank you for your feedback. I have edited the answer to include your comment. Let me know if I have copied the right solution from the thread you mentioned.Quantity
T
35
mkdir ~/.ssh
touch ~/.ssh/known_hosts
ssh-keyscan bitbucket.org >> ~/.ssh/known_hosts
Trivium answered 4/4, 2020 at 12:12 Comment(2)
If the DNS is already spoofed, this will not protect you from anything.Tryptophan
Why would you need to touch the file if the >> would create it for you alreadyBiernat
A
12

only need to run the following command without any addition:

ssh-keygen -R bitbucket.org
Aeriell answered 5/7, 2023 at 14:17 Comment(0)
P
7

You'll get the same error:

Host key verification failed.

in case you press enter instead of answering the question:

Are you sure you want to continue connecting (yes/no/[fingerprint])?

with yes

Privity answered 11/2, 2022 at 20:16 Comment(0)
E
5

The following steps worked for me personally, I have SSH key registered on BitBucket beforehand. On Windows:

  1. Go to C:/Users/<your_username>/.ssh/known_hosts
  2. Delete the lines where start with bitbucket.org
  3. Run ssh bitbucket.org and follow instructions
Elrod answered 29/6, 2023 at 12:27 Comment(1)
simple as that, this is what i needed on windows 10. Maybe i missed in previous answers, but here is simply stated in step 2. - to remove what is needed.Spue
K
2

As already answered, the problem is that the .ssh/known_hosts file does not contain the updated fingerprints. Atlassian sent me a lot of emails but still I forgot a couple of places to upgrade before the fingerprints switch-off.

My basic solution is to add new fingerprints directly from bitbucket itself (curl https://bitbucket.org/site/ssh) after you made a safety copy of the file. The last command is just a check.

cp ~/.ssh/known_hosts ~/.ssh/known_hosts.old
curl https://bitbucket.org/site/ssh >> ~/.ssh/known_hosts
ssh [email protected] host_key_info
Kannan answered 27/6, 2023 at 16:29 Comment(0)
L
0

In macos, after following all the steps on here, I got this error.

Turned out that bitbucket's key (including .pub file) was generated in home(~) directory and in the ~/.ssh/config file (where both .ssh folder and config file, I created myself), we have to provide the path to that key. So, for me it looked like

Host bitbucket.org
  AddKeysToAgent yes
  IdentityFile ~/ssh-key-name
Lawless answered 10/3, 2023 at 17:30 Comment(0)
V
0

I have this issue with SourceTree because I use openSSH but Putty / Plink was set.

Varietal answered 25/4, 2023 at 9:40 Comment(0)
T
0

I know this is a old thread. I landed on this page from Google search because I faced the same error. I was able to resolve this issue in another way and is not in any of the above answers.

Solution - Instead of using the SSH url from bitbucket, I used the HTTPS url on Git CMD prompt and it worked

e.g. git clone https://[email protected]/companyservices/projectname.git

Tarsometatarsus answered 12/4 at 11:58 Comment(0)
R
-3

If you already have ssh enabled do copy all the files from .ssh folder inside backup folder before following steps

  1. Open Git Bash and type ssh-keygen, and press Enter three times (one for location, and two for empty passphrase).
  2. It will create .ssh folder if not present and creates two files id_rsa & id_rsa.pub inside .ssh folder.
  3. Now go to Bitbucket settings -> ssh keys -> aad key
  4. Paste id_rsa.pub string in Bitbucket and press ok.
  5. Restart Git Bash
  6. Try to clone repo. It should work now.
Rancidity answered 27/10, 2021 at 7:24 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.