Git ssh clone fails with error Permission denied (publickey) in Bitbucket Server

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Ssh git clone fails with the following error.  

Permission denied (publickey).
fatal: Could not read from remote repository.

In order to get a more detailed output, you can try the command,  GIT_SSH_COMMAND="ssh -vvvv" git clone ssh://git@<repository_url> and this will give you the output similar to the below one. 

GIT_SSH_COMMAND="ssh -vvvv" git clone ssh://git@test.bitbucket.com:7999/test/repo.git
15:41:10.964407 git.c:440               trace: built-in: git clone ssh://git@test.bitbucket.com:7999/test/repo.git
Cloning into 'repo'...
...
...
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/frye/.ssh/id_dsa
debug3: no such identity: /home/frye/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/frye/.ssh/id_ecdsa
debug3: no such identity: /home/frye/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/frye/.ssh/id_ed25519
debug3: no such identity: /home/frye/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Environment

Bitbucket Server/Data Center 7.17.0 or above installed on Ubuntu 14.x LTS or Ubuntu 16.x

Diagnosis

Run ssh localhost from the same machine and retry the clone. It will get successful and you can see the below line in the success output.

debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:kSWXd+fJmEoWNIFMEa8kIMRjLtCo4vU9DgQJ83JLHP0
debug3: sign_and_send_pubkey: RSA SHA256:kSWXd+fJmEoWNIFMEa8kIMRjLtCo4vU9DgQJ83JLHP0
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to stash.calix.local (via proxy).

Cause

When running the clone directly from the client machine, the key is being accessed from the ssh agent gnome-keyring in the Operating system. This is a feature that collects all of your passwords in a secure application (gnome-keyring) and will use these stored passwords to automatically log you in to various services. But it is possible that the passwords stored in the keyring could get outdated and this could cause authentication failures.

To confirm this, you can run the below command twice. Once directly on the machine, then after executing "ssh localhost".

echo $SSH_AUTH_SOCK

You can see similar output.

$ echo $SSH_AUTH_SOCK 
/run/user/10114/keyring/ssh
$ ssh localhost
Last login: Mon Jun  6 18:29:20 2022 from 127.0.0.1
$ echo $SSH_AUTH_SOCK 

$

The SSH_AUTH_SOCK path variable has been cleared once you run ssh localhost and the key is being taken from the default ssh configuration.

Solution

Please work with your system admin and disable the gnome-keyring: ssh agent in your system(not the server) or you can manually unset the SSH_AUTH_SOCK environment variable. 

Last modified on Jun 22, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.