Summary

Bitbucket Server users are able to push a SSH2 key type to a repo as an "Access Key"

In certain scenario (we couldn't reproduce it yet), a customer reported that Stash will strangely assign the push to the ---- END SSH2 PUBLIC KEY ---- user that does not exist in the system but only as part of the SSH2 key type.

How does Stash do it?

When a Stash/Bitbucket server user pushes to a repo using SSH, the PR will register the changed pushed by the email address that is used in the SSH. This email will be mapped against the email address of a Stash/Bitbucket Server user and his/her username will be shown.

In the example above, Stash/Bitbucket Server that mapping seems to happen incorrectly due to this bug.

Steps to Reproduce

We could only reproduce the fact that Stash/Bitbucket Server accepts the upload of SSH2 key type. However, in our documentation we don't guide the users to use that.

1. Create SSH keys
2. Convert them to SSH2 type. I used the following command:

   ssh-keygen -e -f ~/.ssh/id_rsa.pub > ~/.ssh/id_rsa_ssh2.pub
   

3. Upload the content of id_rsa_ssh2.pub to Stash/Bitbucket

Expected Results

Stash/Bitbucket Server will reject the key.

Actual Results

Stash/Bitbucket Server accepts the key.

Workaround

Do not use SSH2 keys in Bitbucket Server.
If that was the case and you had pushes using SSH incorrectly assigned to the ---- END SSH2 PUBLIC KEY ---- user in PR updates that you want to be fixed, please raise an issue with https://support.atlassian.com