Permission denied (publickey)

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.

Problem

When attempting to clone, push or pull over SSH with Git, you receive the message

Permission denied (publickey).

OR

remote: Permission denied (publickey)

OR

abort: Permission denied: (project name)

Diagnosis

You are receiving this message because Bitbucket Cloud could not authenticate you with any of the keys that were offered to it by your SSH agent. To verify this is the case, do the following 

ssh -t -vvv git@bitbucket.org

This will attempt to create a connection to Bitbucket Cloud for git. You should receive a response similar to the following if your key is correctly loaded

$ ssh -t -vvv git@bitbucket.org 
authenticated via ssh key.

You can use git to connect to Bitbucket. Shell access is disabled

From here you can proceed with your work as normal. If you do not see a message similar to the above, read on.
If you see the message "debug3: no such identity: <path_to_your_key>: No such file or directory" refer to Error "No such file or directory" when running verbose git SSH commands.

Resolution

This can be caused by a couple of factors, but these are the most common:

- Your public key isn't loaded into Bitbucket Cloud

To check to see if your public key is loaded into Bitbucket Cloud, do the following:

  1. Open a browser and log into Bitbucket Cloud.

  2. Select the Settings cog and select Personal Bitbucket settings from the profile menu



    The system displays the personal settings page.

  3. Click SSH keys in the Security section.
    The SSH Keys page displays. It shows a list of any existing keys. Alternatively, you can directly access this URL - https://bitbucket.org/account/settings/ssh-keys/ to list/add/delete SSH keys under your profile. 



  4. If you do not have any keys listed, follow Set up an SSH key to set one up.

- Your identity isn't loaded into your SSH Agent

If your SSH agent doesn't know how to offer Bitbucket Cloud a key, the connection will fail. To find out what keys your SSH Agent currently is offering, and add them, do the following:

Windows
  1. Double-click Pageant to view loaded keys (Pageant is a PuTTY authentication agent).



  2. Click 'Add Key' to add any key not found in the list.

If you see an invalid format error, make sure you remove all of the new line characters and spaces from the key.  In the example above, the last character should be 6.


On GitBash, MacOS or Linux

$ ssh-add -l


Then, if you don't see your key listed, add it by 

ssh-add ~/.ssh/id_rsa

Remember that if the key was generated with a different name you should change the 'id_rsa' on the command to the name of the key. For more information, check out our full Troubleshoot SSH issues guide.

- Your identity isn’t loaded into PuTTYgen 


If using PuTTYgen application:

  1. Open PuTTYgen;

  2. Click on ‘File > Load private key’;

  3. Choose your *.ppk file from a directory;

  4. Click on ‘Conversions > Export OpenSSH key’;

  5. Save the file in ‘C:\Users\<your username>\.ssh folder with 'id_rsa’ name.

- Git bash for Windows/Pageant is not using the correct keys 


This can be confirmed by running the following command:

ssh -vvv git@bitbucket.org


If you see that your SSH agent isn’t using the key you want to, it’s likely because of Windows Environment Variables. To configure those, follow the steps outlined below:

1. Access your Environment Variables by opening up System Properties and navigating to Advanced System Settings
2. Add a new System variable with the following structure

Variable Name: GIT_SSH
Variable Value: full path to pageant.exe (you may also have plink.exe, puttygen.exe and other agents, i.e. C:\Program Files (x86)\Atlassian\SourceTree\tools\putty\plink.exe)

(info) An easy way of finding the path for the agent is to open Task Manager, find the process, and open the folder location to get the path to your agent.

After creating the new variable make sure to restart your terminals so that they receive the new values. If you’re running bash from an IDE, make sure to restart the IDE itself as well.

- You do not have permission to create the repository on your local filesystem

If you get the error "Permission denied", it is also possible that git doesn't have permission to create the project folder locally. Check permissions for the directory where you're attempting to check out the project, and make sure you have write access.

- Your private key file permissions are too open

Your ssh-agent might not use your private key if the file permissions for your private key are too open. The key needs to be read-writable only to you:

On GitBash, MacOS, or Linux
chmod 600 ~/.ssh/id_rsa


Alternatively the key can be only readable to you:

chmod 400 ~/.ssh/id_rsa
On Windows

File permissions can be set by right-mouse clicking on the relevant file, going into properties, and then selecting the "Security" tab, leaving only the SYSTEM, Administrators, and the user as read-writable to.

- Your security algorithm has been deprecated or is different than Bitbucket’s accepted methods 


This can be confirmed by running the following command:

ssh -vvv git@bitbucket.org

If you see the debug1: send_pubkey_test: no mutual signature algorithm message then this is the case.

The RSA SHA-1 hash algorithm is being quickly deprecated across operating systems and SSH clients because of various security vulnerabilities, with many of these technologies now outright denying the use of this algorithm.

(info) For example - here is the announcement from OpenSSH regarding their upcoming deprecation of the ssh-rsa algorithm.

If you are using an operating system or SSH client whose version has this algorithm disabled, any SSH keys previously generated using this algorithm may no longer be accepted by these technologies. 


If you are getting an error in Pipelines while using an RSA key, it might be because the Pipelines image is using an older version of OpenSSH that still uses SHA1 as the default algorithm for RSA keys. Switch your image to atlassian/default-image:4 with the following line in your bitbucket-pipelines.yml file -

image: atlassian/default-image:4

The default-image:4 is based off of Ubuntu 22.04 which has a newer version of OpenSSH installed that uses SHA256 instead of SHA1 for RSA keys. This is a more secure algorithm and accepted everywhere. If you do not specify any image, atlassian/default-image:1 is used which uses an older version of OpenSSH that still uses SHA1 for RSA keys.


The preferred resolution is to re-generate the keys using an updated algorithm, which can be done using the following command:

ssh-keygen -t ed25519 -C "your_email@example.com”

If generating a new key doesn’t work, you can also re-enable the RSA algorithm by adding the following line to your ssh-agent config file:

PubkeyAcceptedKeyTypes +rsa-sha2-256,rsa-sha2-512

The config file can usually be found on the following path: ~/.ssh/config


If none of the solutions above worked you can always contact our support team via the support portal at https://support.atlassian.com/. Feel free to open a ticket with us containing as much information as possible, especially which repository are you trying to access as well as your public SSH key, which can be found by using the following command:

cat id_rsa.pub | pbcopy

This will copy the contents of your public SSH key and will be ready to be pasted on the support ticket.


Last modified on May 23, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.