REMOTE HOST IDENTIFICATION HAS CHANGED when accessing Bitbucket Server git repo over ssh
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Symptoms
When using git clone, push, fetch
or pull
to or from a repository hosted in Bitbucket Server over ssh, or when using ssh
to access the machine Bitbucket Server is hosted on, the user receives an error due to mismatched server ssh keys, e.g.:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
13:c9:f6:9d:c1:67:16:95:69:27:08:4a:c9:16:62:75.
Please contact your system administrator.
Add correct host key in /home/USER/.ssh/known_hosts to get rid of this message.
Offending key in /home/USER/.ssh/known_hosts:1
RSA host key for bitbucket.customer.com has changed and you have requested strict checking.
Host key verification failed.
fatal: The remote end hung up unexpectedly
This can happen when using git
with a Bitbucket Server ssh url or ssh itself.
If the warning message is encountered each time the machine hosting Bitbucket is restarted, please see the KB, "REMOTE HOST IDENTIFICATION HAS CHANGED" is reported each time the server hosting Bitbucket is restarted
Diagnosis
The user is attempting to access the machine Bitbucket Server is hosted on via ssh
, as well as accessing Bitbucket Server hosted repositories over ssh.
The Bitbucket Server ssh server and the normal ssh server on the machine hosting Bitbucket Server have different key-pairs, and the users version of ssh
is not differentiating between the ssh servers running on the same machine on different port numbers. For example, in a standard set up:
- 22: the normal ssh server for shell access
- 7990: the Bitbucket Server ssh server for ssh git access
Cause
OpenSSH clients previous to 4.4 are not able to differentiate between ssh servers running on the same machine on different ports when detecting changed server keys.
Type ssh -V
to determine the version number of ssh:
$ ssh -V
OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
Workaround
There are a number of workarounds, see http://serverfault.com/questions/141553/how-to-make-ssh-match-known-hosts-to-host-ipport-instead-of-just-host-ip.
Resolution
Upgrade the version of ssh on the clients machine to a version of ssh greater than or equal to 4.4.
Remove all entries for the machine hosting Bitbucket Server from the users ~/.ssh/known_hosts file