-
Bug
-
Resolution: Fixed
-
High
-
None
-
17
-
Severity 3 - Minor
-
294,292
-
Update: This issue is fixed
Bitbucket Cloud now supports rsa-sha2-256 and rsa-sha2-512 algorithms. The OpenSSH 8.8 client will function without the need for a workaround.
The team deployed a fix on Tuesday, Oct 19. After monitoring for two days, this ticket was closed because we are confident that the OpenSSH 8.8 incompatibility has been resolved.
Issue Summary
The latest release of OpenSSH — version 8.8, released on September 26th — introduced a configuration change that prevents that client from connecting to Bitbucket Cloud over SSH. Bitbucket engineers are actively addressing this, and there are workarounds available in the meantime.
See the Community post for more details.
Steps to Reproduce
Connect to bitbucket.org using OpenSSH >= 8.8.
Expected Results
SSH client connects to Bitbucket.
Actual Results
SSH connection fails with the following error message:
Unable to negotiate with <ip address> port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
Workaround
If you are receiving the warning above, there are two options: updating your SSH config locally, or switching from SSH to HTTPS.
Update local SSH configuration
You can continue to use SSH by adding the lines below into the Host bitbucket.org section of your SSH configuration:
Host bitbucket.org
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
On Unix-like systems, this configuration is located at $HOME/.ssh/config or /etc/ssh/ssh_config.
On Windows systems, this configuration is located at %USERPROFILE%\.ssh\config or %PROGRAMFILES%\Git\etc\ssh\ssh_config.
Use HTTPS instead of SSH
HTTPS connections to Bitbucket Cloud are unaffected by changes to the OpenSSH client. Therefore, you can avoid this issue by updating your git client to use HTTPS instead of SSH to talk to Bitbucket Cloud by following the instructions on this page. Switching to HTTPS will require using a different authentication mechanism. We recommend using an app password for automated git clients such as build machines or if you have two-factor authentication enabled.
To remove this workaround in the future, follow the same instructions to change your remote URL back to the SSH URL.
- mentioned in
-
Page Failed to load
[BCLOUD-21402] OpenSSH 8.8 client incompatibility and workaround
I also confirm it now works after the fix have been removed from my ~/.ssh/config file
I'm unsubscribing from this thread as I have moved all my repos to another git provider. Imho this is a lost cause as "OpenSSH 8.8 was released on 2021-09-26" which in three days will be one full moth that the issue is there and Bitbucket has done nothing other than forcing us to use https instead of ssh.
@igorl - then there is something else that could still cause this under a specific set of circumstances. Mine does not work. I have removed my workaround, I have upgraded my Git and OpenSSH again, and no luck.
Command line works without the workaround. However VSCode still fails to pull or push.
git show --textconv :next.txtFrom bitbucketorg:USERNAME/repo * branch master -> FETCH_HEAD fatal: Not possible to fast-forward, aborting.
You shouldn't need anything. I've removed that workaround from .ssh/config (to force old algorithm for BB) and it just worked.
It is still not working for me. Is there something I must do on my side after this to make it work? Regenerate keys? Change configs? What?
Working for me since the Tuesday rollout on MacOS with OpenSSH 8.8p1 - thank you!
Bitbucket Cloud now supports rsa-sha2-256 and rsa-sha2-512 algorithms. The OpenSSH 8.8 client will function without the need for a workaround.
The team deployed a fix on Tuesday, Oct 19. After monitoring for two days we are confident that the OpenSSH 8.8 incompatibility has been resolved.
Kind regards,
Tom Kane
Engineering Manager, Bitbucket Cloud
Hi Mario,
I amended my addition to config to be the same as yours, with the exception of specifying the IdentityFile, as that does not exist on my machine. This still does not solve the issue for me.
On Windows with Git for Windows 2.33.1 the C:\Users\MyName\.ssh\config settings it works. But only with the bash. Other programs like VSCode do not work, even though they should use the config settings.
Host bitbucket.org HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa User git IdentityFile ~/.ssh/bitbucket CheckHostIP no
I downgraded my Git for Windows from 2.33.1 to 2.32.0. This came with a downgraded OpenSSH as well (8.5) which also did not solve the problem for me. So - seems like on Windows 10, the downgrade of OpenSSH does not solve the problem. Then I thought, maybe I downgraded too far back, so I downgraded to Git 2.33.0, which uses OpenSSH 8.7p1, which seems to be the version that still worked for most - but it still does not work for me. I am still getting the same errors:
$ ssh -Tv git@bitbucket.org
OpenSSH_8.7p1, OpenSSL 1.1.1k 25 Mar 2021
debug1: Reading configuration data /c/Users/kobus/.ssh/config
debug1: /c/Users/kobus/.ssh/config line 1: Applying options for bitbucket.org
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 49: Applying options for bitbucket.org
debug1: Connecting to bitbucket.org [104.192.141.1] port 22.
debug1: Connection established.
debug1: identity file /c/Users/kobus/.ssh/id_rsa type 0
debug1: identity file /c/Users/kobus/.ssh/id_rsa-cert type -1
debug1: identity file /c/Users/kobus/.ssh/id_dsa type -1
debug1: identity file /c/Users/kobus/.ssh/id_dsa-cert type -1
debug1: identity file /c/Users/kobus/.ssh/id_ecdsa type -1
debug1: identity file /c/Users/kobus/.ssh/id_ecdsa-cert type -1
debug1: identity file /c/Users/kobus/.ssh/id_ecdsa_sk type -1
debug1: identity file /c/Users/kobus/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /c/Users/kobus/.ssh/id_ed25519 type -1
debug1: identity file /c/Users/kobus/.ssh/id_ed25519-cert type -1
debug1: identity file /c/Users/kobus/.ssh/id_ed25519_sk type -1
debug1: identity file /c/Users/kobus/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /c/Users/kobus/.ssh/id_xmss type -1
debug1: identity file /c/Users/kobus/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.7
debug1: Remote protocol version 2.0, remote software version conker_df6142773d 4b68042c6c94
debug1: compat_banner: no match: conker_df6142773d 4b68042c6c94
debug1: Authenticating to bitbucket.org:22 as 'git'
debug1: load_hostkeys: fopen /c/Users/kobus/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection reset by 104.192.141.1 port 22
Hello,
The .ssh/config workaround didn't work for me so I just downgraded OpenSSH from 8.8 to 8.7 and it is working correctly.
I am on Manjaro Linux.
Hopefully this might help until this is fixed.
I'm on Windows 10 and the problem started I think after GIT updated few days ago.
But the workaround "Update local SSH configuration" (adding those 3 lines) worked perfectly on both of my machines.
In my case the config file was placed in `%PROGRAMFILES%\Git\etc\ssh\ssh_config` and not in ".ssh" folder.
Also the same problem, and none of the workarounds work for me either, using Windows 10.
I have picked up the following peculiarities:
- This happens only at my client's offices (not having this issue at home)
- When I switch DNS servers it [push and pull] sometimes goes through (might be coincidental).
- When I switch between Wi-Fi and Wired connection at client, it sometimes go through as well (again, might be coincidental).
I have regenerated SSH keys as per the Bitbucket help page here: https://support.atlassian.com/bitbucket-cloud/docs/set-up-an-ssh-key/ and I have uploaded this new key to Bitbucket. Still not resolved.
none of the workarounds work for me in Linux. Look for alternatives
Host bitbucket.org
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
Time to update like the rest of the git communities. id_ed25519
but your server will not call or use the protocol
Hi,
this is not the way how to solve it, so you are suggesting to put workaround into all our build systems, git clients and all over the place? And when you will solve the issue, you will suggest to remove it? I hope that you can do better then this, this is not devops attitude and culture you are selling to us.
Kind Regards
Rok
dbe645743c83: please see this community article which describes the issue and workarounds. We are actively working on supporting the replacement signature algorithms on our SSH server and will post an update here once that is in place.
Please let us know if you have any questions.
This is a serious issue! It has been 4 days since this issue is reported (over two days that I'm personally struggling with) and yet no response or official statement from Bitbucket?! no blog post or announcement?! I'm pulling out all my repos as soon as possible, I cannot afford waiting longer.
P.s: Read OpenSSH release document if your business is highly dependent on it!
I am also unsubscribing because the issue is fixed.
To all folks still having problems: know that they are due to either your bad setup or another issue unrelated to the default accepted key algorithms in OpenSSH-8.8. Please report another issue and stop causing further spam to this thread.
Otherwise: please Atlassian moderators step in and lock this conversation.