Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-10175

update Bitbucket SSH algorithms



    • Suggestion
    • Status: Gathering Interest (View Workflow)
    • Resolution: Unresolved
    • None
    • None
    • None
    • 37
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.


      Would like to see an update to ssh algorithms available to Bitbucket. Here is a list of CIPHER, KEY_EXCHANGE, and MAC that are not currently supported and should be added:

      ecdh-sha2-nistp256, and ecdh-sha2-nistp384.
      chacha20-poly1305@openssh.com, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, and aes256-gcm@openssh.com
      umac-128@openssh.com, umac-64@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com, and umac-64-etm@openssh.com.

      server_host_key_algorithms currently only support ssh-rsa. Bitbucket should add rsa-sha2-512, rsa-sha2-256, ecdsa-sha2-nistp256, and ssh-ed25519.

      For PCI compliance, it is occasionally necessary to disable some SSH Algorithms, like anything that depends on md5 and soon to be sha1. Increasing the available SSH CIPHER to the newer and stronger Ciphers is important to meet compliance.

      This is the current list of SSH supported algorithms from a default install of Ubuntu:

      $ nmap --script ssh2-enum-algos -sV -p 22
      Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-19 14:16 CDT
      Nmap scan report for
      Host is up (0.00044s latency).
      22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
      | ssh2-enum-algos:
      |   kex_algorithms: (6)
      |       curve25519-sha256@libssh.org
      |       ecdh-sha2-nistp256
      |       ecdh-sha2-nistp384
      |       ecdh-sha2-nistp521
      |       diffie-hellman-group-exchange-sha256
      |       diffie-hellman-group14-sha1
      |   server_host_key_algorithms: (5)
      |       ssh-rsa
      |       rsa-sha2-512
      |       rsa-sha2-256
      |       ecdsa-sha2-nistp256
      |       ssh-ed25519
      |   encryption_algorithms: (6)
      |       chacha20-poly1305@openssh.com
      |       aes128-ctr
      |       aes192-ctr
      |       aes256-ctr
      |       aes128-gcm@openssh.com
      |       aes256-gcm@openssh.com
      |   mac_algorithms: (10)
      |       umac-64-etm@openssh.com
      |       umac-128-etm@openssh.com
      |       hmac-sha2-256-etm@openssh.com
      |       hmac-sha2-512-etm@openssh.com
      |       hmac-sha1-etm@openssh.com
      |       umac-64@openssh.com
      |       umac-128@openssh.com
      |       hmac-sha2-256
      |       hmac-sha2-512
      |       hmac-sha1
      |   compression_algorithms: (2)
      |       none
      |_      zlib@openssh.com
      Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
      Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
      Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds


        1. various-keys.png
          68 kB
          Bryan Turner

        Issue Links



              Unassigned Unassigned
              d33c2e2dcad1 Ravi GH
              34 Vote for this issue
              27 Start watching this issue