How to disable default SSH algorithms in Bitbucket Data Center

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Network administrators may wish to disable certain algorithms (ciphers, macs, key exchanges) for their SSH traffic. 

Since the client selects the algorithms after a negotiation phase the only way to disable certain algorithms is to completely exclude them from the available algorithms list on the server side.

Environment

Bitbucket Data Center

Solution

  • Enable debug logging of the available ciphers, exchanges, and MACs on startup by adding the following to your bitbucket.properties file and restarting Bitbucket Data Center. More information about debug logging

    logging.logger.com.atlassian.bitbucket.internal.ssh.server=DEBUG

  • Find the available algorithm names in the atlassian-bitbucket.log file by looking for messages of the form:

    Available SSH CIPHER: [aes128-ctr]
Available SSH KEY_EXCHANGE: [diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1]
Available SSH MAC: [hmac-sha2-256, hmac-sha2-512, hmac-sha1]
  • Add the algorithm names you wish to disable to the plugin.ssh.disabled.ciphers, plugin.ssh.disabled.key.exchanges, and plugin.ssh.disabled.macs properties (available in Bitbucket Server 3.9+) as specified in Configuration properties, and restart Bitbucket Server.
  • Note that as of Bitbucket Data Center 5.4, some algorithms are already disabled. You will need to explicitly re-list them in your override to avoid them being re-enabled by your override of this property. Check out SSH Security properties to see the default values for these properties.
  • The following ciphers are disabled by default since Bitbucket Data Center 5.4
    • arcfour128
    • arcfour256
    • aes128-cbc
    • aes192-cbc
    • aes256-cbc
    • 3des-cbc
    • blowfish-cbc
  • You can verify the algorithms used by executing a remote SSH command and reading the available and negotiated algorithms in the verbose output, however if you do not see the results you expect you should confirm that the cipher is disabled by explicitly setting it in your git config and attempting a git operation

    • ssh -vvv -p <bitbucket ssh port> git@<bitbucket host> whoami 2>&1

    • Look for debug2: kex_parse_kexinit: for available algorithms and debug1: kex: server->client for negotiated result or execute:

    • ssh -vvv -p <bitbucket ssh port> git@<bitbucket host> whoami 2>&1 | grep kex_parse_kexinit

    • ssh -vvv -p <bitbucket ssh port> git@<bitbucket host> whoami 2>&1 | grep server-\>client

  • To enable additional stronger algorithms see List ciphers used by JVM to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.

Last modified on Feb 20, 2024

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.