Disable default SSH algorithms
Network administrators may wish to disable certain algorithms (ciphers, macs, key exchanges) for their SSH traffic.
Since the client selects the algorithms after a negotiation phase the only way to disable certain algorithms is to completely exclude them from the available algorithms list on the server side.
Enable debug logging of the available ciphers, exchanges, and MACs on startup by adding the following to your bitbucket.properties file and restarting Bitbucket Server. More information about debug logging
Find the available algorithm names in the
atlassian-bitbucket.logfile by looking for messages of the form:
Available SSH CIPHER: [aes128-ctr] Available SSH KEY_EXCHANGE: [diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1] Available SSH MAC: [hmac-sha2-256, hmac-sha2-512, hmac-sha1]
- Add the algorithm names you wish to disable to the
plugin.ssh.disabled.macsproperties (available in Bitbucket Server 3.9+) as specified in Bitbucket Server config properties, and restart Bitbucket Server. Note that as of Bitbucket Server 5.4, some algorithms are already disabled. You will need to explicitly re-list them in your override to avoid them being re-enabled by your override of this property. Check out SSH Security properties to see the default values for these properties.
- You can verify the algorithms used by executing a remote SSH command and reading the available and negotiated algorithms in the verbose output, however if you do not see the results you expect you should confirm that the cipher is disabled by explicitly setting it in your git config and attempting a git operation
ssh -vvv -p <bitbucket ssh port> git@<bitbucket host> whoami 2>&1
debug2: kex_parse_kexinit:for available algorithms and
debug1: kex: server->clientfor negotiated result or execute:
ssh -vvv -p <bitbucket ssh port> git@<bitbucket host> whoami 2>&1 | grep kex_parse_kexinit
ssh -vvv -p <bitbucket ssh port> git@<bitbucket host> whoami 2>&1 | grep server-\>client
To enable additional stronger algorithms see List ciphers used by JVM to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.