"REMOTE HOST IDENTIFICATION HAS CHANGED" is reported each time the server hosting Bitbucket is restarted

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Users get the REMOTE HOST IDENTIFICATION HAS CHANGED! warning message when performing git operations whenever the server hosting Bitbucket is restarted.

Sample warning message
git clone ssh://git@localhost:7999/proj1/repo1.git
Cloning into 'repo1'...
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:LWdsVRrm2RZ41Ft2CxwAyiNR2ouPt99wIyJwIfXWNL8.
Please contact your system administrator.
Add correct host key in /Users/bbuser/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/bbuser/.ssh/known_hosts:41
RSA host key for [localhost]:7999 has changed and you have requested strict checking.
Host key verification failed.
fatal: Could not read from remote repository.


Please make sure you have the correct access rights
and the repository exists.

This can occur if the user used to start up Bitbucket has no write permissions on the $BITBUCKET_HOME/shared/config/ssh-server-keys.pem file, which contains the SSH private key for Bitbucket.


If the machine that hosts Bitbucket was not restarted but the warning message is still encountered, please see the KB, REMOTE HOST IDENTIFICATION HAS CHANGED when accessing Bitbucket Server git repo over ssh, which provides diagnosis and resolution steps if the warning is received in the following scenarios:

  • while attempting to access the machine Bitbucket is hosted on via ssh
  • while accessing Bitbucket hosted repositories over ssh (clone, push, fetch)

Diagnosis

The following entries showing AccessDeniedExceptions are logged in $BITBUCKET_HOME/log/atlassian-bitbucket.log file:

Warnings in atlassian-bitbucket.log
2021-03-05 02:02:01,254 WARN  [sshd-SshServer[1b57567](port=7999)-nio2-thread-1]  c.a.b.i.s.s.DefaultHostKeyPairProvider resolveKeyPair(/var/atlassian/application-data/bitbucket/shared/config/ssh-server-keys.pem) Failed (AccessDeniedException) to load: /var/atlassian/application-data/bitbucket/shared/config/ssh-server-keys.pem
...
2021-03-05 02:02:01,274 INFO  [sshd-SshServer[1b57567](port=7999)-nio2-thread-1]  c.a.b.i.s.s.DefaultHostKeyPairProvider generateKeyPair(RSA) generating host key - size=2048
...
2021-03-05 02:02:01,715 WARN  [sshd-SshServer[1b57567](port=7999)-nio2-thread-1]  c.a.b.i.s.s.DefaultHostKeyPairProvider writeKeyPair(/var/atlassian/application-data/bitbucket/shared/config/ssh-server-keys.pem) failed (AccessDeniedException) to write key /var/atlassian/application-data/bitbucket/shared/config/ssh-server-keys.pem: {}
...
2021-03-05 02:02:01,731 WARN  [sshd-SshServer[1b57567](port=7999)-nio2-thread-1]  c.a.b.i.s.s.DefaultHostKeyPairProvider Could not restrict file permissions on key /var/atlassian/application-data/bitbucket/shared/config/ssh-server-keys.pem
java.nio.file.FileSystemException: /var/atlassian/application-data/bitbucket/shared/config/ssh-server-keys.pem: Operation not permitted
        at sun.nio.fs.UnixException.translateToIOException(UnixException.java:91)
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
        at sun.nio.fs.UnixFileAttributeViews$Posix.setMode(UnixFileAttributeViews.java:238)
        at sun.nio.fs.UnixFileAttributeViews$Posix.setPermissions(UnixFileAttributeViews.java:260)
        at java.nio.file.Files.setPosixFilePermissions(Files.java:2045)
        at com.atlassian.bitbucket.util.MoreFiles.setPermissions(MoreFiles.java:377)
        at com.atlassian.bitbucket.internal.ssh.server.DefaultHostKeyPairProvider.writeKeyPair(DefaultHostKeyPairProvider.java:121)
        at org.apache.sshd.server.keyprovider.AbstractGeneratorHostKeyProvider.resolveKeyPairs(AbstractGeneratorHostKeyProvider.java:214)
        at org.apache.sshd.server.keyprovider.AbstractGeneratorHostKeyProvider.loadKeys(AbstractGeneratorHostKeyProvider.java:139)
        at org.apache.sshd.server.keyprovider.AbstractGeneratorHostKeyProvider.loadKeys(AbstractGeneratorHostKeyProvider.java:60)
        at org.apache.sshd.common.keyprovider.KeyPairProvider.getKeyTypes(KeyPairProvider.java:131)
        at org.apache.sshd.server.session.AbstractServerSession.resolveAvailableSignaturesProposal(AbstractServerSession.java:372)
        at org.apache.sshd.common.session.helpers.AbstractSession.resolveAvailableSignaturesProposal(AbstractSession.java:2173)
        at org.apache.sshd.common.session.helpers.AbstractSession.sendKexInit(AbstractSession.java:2098)
        at org.apache.sshd.server.session.AbstractServerSession.readIdentification(AbstractServerSession.java:483)
        at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:342)
        at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:63)
        at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:368)
        at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:346)
        at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:343)
        at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
        at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
        at sun.nio.ch.Invoker.invokeDirect(Invoker.java:157)
        at sun.nio.ch.UnixAsynchronousSocketChannelImpl.implRead(UnixAsynchronousSocketChannelImpl.java:555)
        at sun.nio.ch.AsynchronousSocketChannelImpl.read(AsynchronousSocketChannelImpl.java:277)
        at sun.nio.ch.AsynchronousSocketChannelImpl.read(AsynchronousSocketChannelImpl.java:298)
        at org.apache.sshd.common.io.nio2.Nio2Session.doReadCycle(Nio2Session.java:398)
        at org.apache.sshd.common.io.nio2.Nio2Session.doReadCycle(Nio2Session.java:338)
        at org.apache.sshd.common.io.nio2.Nio2Session.startReading(Nio2Session.java:330)
        at org.apache.sshd.common.io.nio2.Nio2Session.startReading(Nio2Session.java:326)
        at org.apache.sshd.common.io.nio2.Nio2Session.startReading(Nio2Session.java:322)
        at org.apache.sshd.common.io.nio2.Nio2Session.startReading(Nio2Session.java:318)
        at org.apache.sshd.common.io.nio2.Nio2Session.startReading(Nio2Session.java:314)
        at org.apache.sshd.common.io.nio2.Nio2Acceptor$AcceptCompletionHandler.onCompleted(Nio2Acceptor.java:311)
        at org.apache.sshd.common.io.nio2.Nio2Acceptor$AcceptCompletionHandler.onCompleted(Nio2Acceptor.java:266)
        at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
        at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
        at sun.nio.ch.Invoker$2.run(Invoker.java:218)
        at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.lang.Thread.run(Thread.java:748)
        ... 1 frame trimmed

Cause

The Bitbucket user (e.g. atlbitbucket) does not have write permissions to the $BITBUCKET_HOME/shared/config/ssh-server-keys.pem file, which contains the SSH private key for Bitbucket.

This can happen if another user, such as root owns the file or the parent directory.

Solution

Ensure that the $BITBUCKET_HOME/shared/config/ssh-server-keys.pem file is owned by the user that starts up Bitbucket.


Last modified on Apr 5, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.