Repository checkout fails with "Bad server host key: Invalid key length"
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
After updating the Linux operating system, its security policies or the OpenSSH package, Bamboo Server and Agents start failing Git checkouts with the following message:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Bad server host key: Invalid key length
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
at com.atlassian.bamboo.plugins.git.NativeGitOperationHelper.fetch(NativeGitOperationHelper.java:554)
at com.atlassian.bamboo.plugins.git.NativeGitOperationHelper.fetch(NativeGitOperationHelper.java:524)
at com.atlassian.bamboo.plugins.git.v2.AbstractGitExecutor.fetchCacheWithRetry(AbstractGitExecutor.java:240)
at com.atlassian.bamboo.plugins.git.v2.GitWorkingCopyManager.lambda$checkout$1(GitWorkingCopyManager.java:236)
at io.atlassian.util.concurrent.ManagedLocks$ManagedLockImpl.withLock(ManagedLocks.java:293)
at com.atlassian.bamboo.plugins.git.GitCacheDirectory$LoggingManagedLock.withLock(GitCacheDirectory.java:44)
at com.atlassian.bamboo.plugins.git.v2.GitWorkingCopyManager.checkout(GitWorkingCopyManager.java:234)
at com.atlassian.bamboo.plugins.git.v2.GitWorkingCopyManager.retrieveSourceCode(GitWorkingCopyManager.java:122)
at com.atlassian.bamboo.plugins.stash.v2.BitbucketServerWorkingCopyManager.retrieveSourceCode(BitbucketServerWorkingCopyManager.java:91)
... 25 moreEnvironment
Bamboo 8, 9
Enterprise Linux 9.1 and later (RHEL, Rocky, Alma, Oracle, etc)
OpenSSH
Issue
The crypto-policy that comes with some Enterprise Linux distributions 9.1 and later does not allow RSA key sizes < 2048 bit. Some SSH servers are configured with 1024-bit key sizes that can lead to connection failures.
Solution
Some Enterprise Linux 9.1 releases introduce a new /etc/ssh/ssh_config option called RequiredRSASize that can be used to override the default setting from crypto-policy. To workaround the problem with smaller RSA keys, an entry for the specific host using this option can be added to the ssh_config file:
If you have only Bitbucket Server repositories and use a Bitbucket-type connection, add the following entries to your SSH configuration file /etc/ssh/ssh_config:
1
2
Host 127.0.0.1
RequiredRSASize 1024If you have other VCS systems that use SSH but are not controlled by the Bamboo SSH Proxy, you may have to set the RequiredRSASize option globally by adding the following line to /etc/ssh/ssh_config:
1
RequiredRSASize 1024Reference:
Was this helpful?