Uploaded image for project: 'Bitbucket Cloud'
  1. Bitbucket Cloud
  2. BCLOUD-21402

OpenSSH 8.8 client incompatibility and workaround




      Update: This issue is fixed

      Bitbucket Cloud now supports rsa-sha2-256 and rsa-sha2-512 algorithms. The OpenSSH 8.8 client will function without the need for a workaround.

      The team deployed a fix on Tuesday, Oct 19. After monitoring for two days, this ticket was closed because we are confident that the OpenSSH 8.8 incompatibility has been resolved.

      Issue Summary

      The latest release of OpenSSH — version 8.8, released on September 26th — introduced a configuration change that prevents that client from connecting to Bitbucket Cloud over SSH. Bitbucket engineers are actively addressing this, and there are workarounds available in the meantime.

      See the Community post for more details.

      Steps to Reproduce

      Connect to bitbucket.org using OpenSSH >= 8.8.

      Expected Results

      SSH client connects to Bitbucket.

      Actual Results

      SSH connection fails with the following error message:

      Unable to negotiate with <ip address> port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss


      If you are receiving the warning above, there are two options: updating your SSH config locally, or switching from SSH to HTTPS.

      Update local SSH configuration

      You can continue to use SSH by adding the lines below into the Host bitbucket.org section of your SSH configuration:

      Host bitbucket.org
         HostkeyAlgorithms +ssh-rsa
         PubkeyAcceptedAlgorithms +ssh-rsa 

      On Unix-like systems, this configuration is located at $HOME/.ssh/config or /etc/ssh/ssh_config.

      On Windows systems, this configuration is located at %USERPROFILE%\.ssh\config or %PROGRAMFILES%\Git\etc\ssh\ssh_config.

      Use HTTPS instead of SSH

      HTTPS connections to Bitbucket Cloud are unaffected by changes to the OpenSSH client. Therefore, you can avoid this issue by updating your git client to use HTTPS instead of SSH to talk to Bitbucket Cloud by following the instructions on this page. Switching to HTTPS will require using a different authentication mechanism. We recommend using an app password for automated git clients such as build machines or if you have two-factor authentication enabled.

      To remove this workaround in the future, follow the same instructions to change your remote URL back to the SSH URL.


        Issue Links



              Unassigned Unassigned
              tkane Tom Kane (Inactive)
              66 Vote for this issue
              64 Start watching this issue