Problem

When attempting to clone, push or pull over SSH with Git, you receive the message

Permission denied (publickey).

OR

remote: Permission denied (publickey)

OR

abort: Permission denied: (project name)

Diagnosis

You are receiving this message because Bitbucket Cloud could not authenticate you with any of the keys that were offered to it by your SSH agent. To verify this is the case, do the following 

ssh -t -vvv git@bitbucket.org

This will attempt to create a connection to Bitbucket Cloud for git. You should receive a response similar to the following if your key is correctly loaded

$ ssh -t -vvv git@bitbucket.org 
authenticated via ssh key.

You can use git to connect to Bitbucket. Shell access is disabled

From here you can proceed with your work as normal. If you do not see a message similar to the above, read on.
If you see the message "debug3: no such identity: <path_to_your_key>: No such file or directory" refer to Error "No such file or directory" when running verbose git SSH commands.

Resolution

This can be caused by a couple of factors, but these are the most common:

- Your public key isn't loaded into Bitbucket Cloud

To check to see if your public key is loaded into Bitbucket Cloud, do the following:

1. Open a browser and log into Bitbucket Cloud.
2. Choose Your avatar > Personal settings from the menu bar.
   
   The system displays the personal settings page.
3. Click SSH keys in the Security section.
   The SSH Keys page displays. It shows a list of any existing keys.
4. If you do not have any keys listed, follow Set up an SSH key to set one up.

- Your identity isn't loaded into your SSH Agent

If your SSH agent doesn't know to offer Bitbucket Cloud a key, the connection will fail. To find out what keys your SSH Agent currently is offering, and add them, do the following:

Windows

Double-click Pageant to view loaded keys (Pageant is a PuTTY authentication agent).

Click 'Add Key' to add any key not found in the list.

On GitBash, MacOS or Linux

$ ssh-add -l

Then, if you don't see your key listed, add it by 

ssh-add ~/.ssh/id_rsa

Remember that if the key was generated with a different name you should change the 'id_rsa' on the command to the name of the key. For more information, check out our full Troubleshoot SSH issues guide.

- Your idendity isn’t loaded into PuTTYgen 

If using PuTTYgen application:

1. Open PuTTYgen;

2. Click on ‘File > Load private key’;

3. Choose your *.ppk file from directory;

4. Click on ‘Conversions > Export OpenSSH key’;

5. Save the file in ‘C:\Users\<your username>\.ssh folder with 'id_rsa’ name.

- Git bash for Windows/Pageant are not using the correct keys 

This can be confirmed by running the following command:

ssh -vvv git@bitbucket.org

If you see that your SSH agent isn’t using the key you want to, it’s likely because of Windows Environment Variables. To configure those, follow the steps outlined below:

1. Access your Environment Variables by opening up System Properties and navigating to Advanced System Settings
2. Add a new System variable with the following structure


Variable Name: GIT_SSH
Variable Value: full path to pageant.exe (you may also have plink.exe, puttygen.exe and other agents, i.e. C:\Program Files (x86)\Atlassian\SourceTree\tools\putty\plink.exe)

A easy way of finding the path for the agent is to open task manager, find the process and open the folder location to get the path to your agent.

After creating the new variable make sure to restart your terminals so that they receive the new values. If you’re running bash from an IDE, make sure to restart the IDE itself as well.

- You do not have permission to create the repository on your local filesystem

If you get the error "Permission denied", it is also possible that git doesn't have permission to create the project folder locally. Check permissions for the directory where you're attempting to check out the project, and make sure you have write access.

- Your private key file permissions are too open

Your ssh agent might no use your private key if the file permissions for your private key are too open. The key needs to be read-writable only to you:

On GitBash, MacOS or Linux

chmod 600 ~/.ssh/id_rsa

Alternatively the key can be only readable to you:

chmod 400 ~/.ssh/id_rsa

On Windows

File permissions can be set by right-mouse clicking on the relevant file, going into properties and then selecting the "Security" tab, leaving only the SYSTEM, Administrators and the user as read-writable to.

- Your security algorithm has been deprecated or is different than Bitbucket’s accepted methods 

This can be confirmed by running the following command:

ssh -vvv git@bitbucket.org

If you see the debug1: send_pubkey_test: no mutual signature algorithm message then this is the case.

The RSA SHA-1 hash algorithm is being quickly deprecated across operating systems and SSH clients because of various security vulnerabilities, with many of these technologies now outright denying the use of this algorithm.

For example - here is the announcement from OpenSSH regarding their upcoming deprecation of the ssh-rsa algorithm.

In the event that you are using an operating system or SSH client whose version has this algorithm disabled, it's possible that any SSH keys previously generated using this algorithm will no longer be accepted by these technologies. 
The preferred resolution is to re-generate the keys using a updated algorithm, which can be done using the following command:

ssh-keygen -t ed25519 -C "your_email@example.com”

If generating a new key doesn’t work, you can also re-enable RSA algorithm by adding the following line to your ssh agent config file:

PubkeyAcceptedKeyTypes +rsa-sha2-256,rsa-sha2-512

The config file can usually be found on the following path: ~/.ssh/config

If none of the solutions above worked you can always contact our support team via the support portal at https://support.atlassian.com/. Feel free to open a ticket with us containing as much information as possible, especially which repository are you trying to access as well as your public SSH key, which can be found by using the following command:

cat id_rsa.pub | pbcopy

This will copy the contents of your public SSH key and will be ready to be pasted on the support ticket.