Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-19588

SSH Certificate Authentication in Bitbucket to Support

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Unresolved
    • None
    • Authentication
    • None
    • 3
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      As it stands today Bitbucket allows only SSH keys to be used when interacting over SSH. Service accounts 
      and services engaging with Bitbucket connect via a private and public SSH key pair. The private key 
      resides at the source server(s) or service(s) and the public key in the corresponding repository, project 
      or account level within Bitbucket. This can allow for a large landscape of SSH keys to be built which is 
      difficult to manage.  
      Because of the inherent flaws with SSH keys the same problems present themselves when used with 
      Bitbucket.  
      • Unintended Logon: traditional ssh keys cannot be directly tied to an identity or service they can 
      be shared or mismanaged. This mismanagement can lead to unintended identities or services 
      authenticating with those key pairs.  
      • Key Sprawl: a proliferation of key pairs can lead to unknown and hard to track authentication. 
      Traditional key pairs do not have an expiration built in, thus they exist in perpetuity once they 
      are issued.  
      • Nonrepudiation: because the key pairs are not set to an identity, it can be near impossible to 
      track the service or person carrying out the work 
      SSH Keys are of paramount importance when used with Bitbucket; they allow authentication to the VCS 
      and enable the automation of code deployments and application build outs.  

      Solution:

       

      Solution: 
      An SSH Certificate CA issues key pairs with identity and expiration attributes for enhanced security. 
      Identity and expiration are included in the meta data of the ssh key pair, which is signed by the SSH 
      Certificate template public certificate ensuring authenticity.  
      Introducing SSH Certificates to Bitbucket would allow for a singular public signing certificate to be used 
      across the tool. For example, the public signing certificate could be installed at the account level within 
      Bitbucket and would then sign the key pairs issued to connecting identities verifying the configured time 
      constraint, enforcing authenticity and duration.  
      Identities would request a key pair from the designated SSH Certificate CA template prior to a 
      connection and then perform the necessary function (code pull or commit)as they would when 
      connecting with traditional SSH Keys. Leveraging a SSH Certificate CA rather than traditional SSH keys 
      ensures the identities interacting with Bitbucket are the correct identities authenticating, prevents a 
      massive build up of difficult to manage SSH keys and sets an expiration on the issued key pair.   

       

      Requirements: 
       - OpenSSH 5.4 or higher 

              Unassigned Unassigned
              bacec7182c91 Anuroop Kottamparambil
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: