Login/Register
SSH Host Key Rotation
Asked Answered
bitbucketbitbucket-api
A

4

15

While opening bitbucket I got a message on snackbar saying "SSH Host Key Rotation" what does it really means? Do I need to do something?

SSH Host Key Rotation

IMPORTANT NOTICE: Bitbucket Cloud’s RSA SSH Host Key will be rotated on June 20, 2023 1700 UTC

Augmenter answered 16/5, 2023 at 9:55 Comment(1)
bitbucket.org/blog/ssh-host-key-changesRiven
C
9

/---------------------------------------------------------------/

Update Friday AM09:39 EST June 23 2023

Notice:

if you're using my solution, and the terminal output while you

using "git pull && git push" with remote repository Bitbucket:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:46OSHA1Rmj8E8ERTC6xkNcmGOw9oFxYr0WF6zWW8l1E.
Please contact your system administrator.
Add correct host key in /Users/yq/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/yq/.ssh/known_hosts:4
Host key for bitbucket.com has changed and you have requested strict checking.
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

You need to manually remove old Bitbucket SSH host Key, just using

vi /Users/your_laptop_user_name/.ssh/known_hosts or vi ~/.ssh/known_hosts, manually remove that old Bitbucket SSH host

Key just liking:

bitbucket.com,18.205.93.3 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==

and using "git pull && git push" with remote repository Bitbucket,

and when you saw the below:

The authenticity of host 'bitbucket.com (18.205.93.5)' can't be established.
ED25519 key fingerprint is   SHA256:ybgmFkzwOSotHTHLJgHO0QN8L0xErw6vd0VhFA9m3SM.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:30: bitbucket.org
Are you sure you want to continue connecting (yes/no/[fingerprint])?

just type yes in the terminal.

refer:ssh remote host identification has changed(Stack overflow).

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED Host key(Chinese Blog).

The problem of know_hosts file (Chinese blog).

What the know_hosts write while ssh connect with remote repository(Chinese Blog).

The output bug fixed!

/---------------------------------------------------------------/

You just need to replace the old Bitbucket's SSH host Key at your local laptop's ~/.ssh with the New Bitbucket SSH Host key, via command:

ssh-keygen -R bitbucket.org && curl https://bitbucket.org/site/ssh >> ~/.ssh/known_hosts

Notice: You do not need to generate a non-RSA type SSH key pair for Bitbucket, as Bitbucket still supports RSA type SSH key pairs for authentication. You just need to update the SSH Host Key for Bitbucket on your local machine.

Others, The Bitbucket SSH Host Key is an encryption key used to authenticate your access to your remote repository via the SSH protocol. When you first access a Bitbucket repository via SSH, the Bitbucket SSH server will present its SSH Host Key to you. You need to verify that the SSH Host Key matches the correct SSH Host Key published by Bitbucket. If the match is successful, your SSH client will accept the Bitbucket SSH Host Key and add it to the known_hosts file on your local machine.

Afterwards, whenever you access the Bitbucket repository via SSH, your SSH client will check whether the SSH Host Key of that repository matches the SSH Host Key in the known_hosts file on your local machine. This prevents security issues such as DNS spoofing and man-in-the-middle attacks, and ensures that your SSH connection is valid and secure.

refer: WHAT YOU NEED TO DO->ACTION REQUIRED: Update your Bitbucket Cloud SSH Host Keys(Bitbucket Org.)

If you DO Not Know what's the problem, that means you do not make sense SSH protocol!

Commonplace answered 2/6, 2023 at 5:15 Comment(2)
Full path would be vi ~/.ssh/known_hostsOyler
@Oyler Thanks bro! Has been updated! Thanks a lot!Commonplace
D
6

Bitbucket added two new host keys using the ECDSA and Ed25519 algorithms and they will replace their current RSA host key with the new host keys, hence you need to switch to using the newer ECDSA or Ed25519 host keys.

Below are the steps to switch newer host keys.

  1. IDENTIFY IF YOUR CLIENT IS IMPACTED

Verify which host key your SSH client is using, open your terminal and run the following command:

ssh [email protected] host_key_info

Output

You are using host key with fingerprint:

ssh-ed25519 SHA256:ybgmFkzwOSotHTHLJgHO0QN8L0xErw6vd0VhFA9m3SM

If you see either the new ECDSA or Ed25519 host key fingerprint in the output that means your SSH client has switched to the new host keys automatically and no further action is required for this client (skip point #2).

  1. CONFIGURE YOUR CLIENT TO TRUST THE NEW HOST KEYS

If neither new fingerprints appear in the output of your OpenSSH (or compatible) client, you can configure the new trusted host keys in the known_hosts file, open your terminal and run below command:

ssh-keygen -R bitbucket.org && curl https://bitbucket.org/site/ssh >> ~/.ssh/known_hosts

  1. CONFIRM SUCCESSFUL KEY ADDITION

Re-run the commands in Step 1 to confirm that your client now trusts the new host keys.

reference

Deloris answered 20/6, 2023 at 8:37 Comment(0)
G
0

After hours of debugging, I came up with the solution which is following:

  • I am maintaing different SSH key for different sites, so let it be bitbucket.pub and bitbucket for SSH keys
  • I realised that it was asking to connect to bitbucket's ED25519:ybgmFkzwOSotHTHLJgHO0QN8L0xErw6vd0VhFA9m3SM again and again
  • And as per page by bitbucket we have to tell ssh client to favour something else over ED25519, so for this we have to make changes in ~/.ssh/config file
  • I made following changes
Host bitbucket.org
  AddKeysToAgent yes
  IdentityFile ~/.ssh/bitbucket
  HostKeyAlgorithms ecdsa-sha2-nistp256
  • And after this when establishing connection to bitbucket it asks that it want to add your connection to known list with fingerprint as ECDSA key fingerprint is SHA256:FC73VB6C4OQLSCrjEayhMp9UMxS97caD/Yyi2bhW/J0
  • type yes and viola you are done
  • check yourself as mentioned in Jira page with command ssh [email protected] host_key_info Now fingerprint should be ecdsa-sha2-nistp256 SHA256:FC73VB6C4OQLSCrjEayhMp9UMxS97caD/Yyi2bhW/J0

Congrats you are done with changes.

Generation answered 16/6, 2023 at 18:23 Comment(0)
A
-1

If you are using SSH to connect to Bitbucket Cloud, you will need to update your SSH client to the latest version before the key rotation takes place. You will also need to add the new host key to your known_hosts file.

Here are the steps on how to update your SSH client and add the new host key:

Update your SSH client to the latest version. Open your known_hosts file. Add the following line to the file:

bitbucket.org ssh-rsa <new_host_key_fingerprint>

Save the file and close it. Once you have completed these steps, you will be able to connect to Bitbucket Cloud using SSH after the host key rotation takes place.

For more information, please visit the following Bitbucket blog post: https://bitbucket.org/blog/ssh-host-key-changes

Algesia answered 15/6, 2023 at 9:40 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.