Purpose

Bitbucket Server runs its own SSH service to enable git over SSH. For this reason, Bitbucket Server generates and uses its own private key file. This article describes where to find the key and how it is used.

Solution

The SSH private key for Bitbucket Server is generated the very first time an SSH-based git request is made to the server. The SSH private key file is generated in the following location:

$BITBUCKET_HOME/shared/config/ssh-server-keys.pem

This key is a 1024 bit RSA key. If necessary it is possible to replace this key with your own, however be aware that if this key is changed, preexisting clients will most likely fail to connect when they recognise the RSA host key for your server has changed.

To replace the key:

1. Rename the existing key (if you delete this key you will not be able to retrieve it!)
2. Place a new private key file here with the name ssh-server-keys.pem
   • Note: To have Bitbucket randomly generate a new key instead, you can skip this step and immediately move to step 5
3. Set the owner to the Bitbucket user and group: chown atlbitbucket:atlbitbucket ssh-server-keys.pem
4. Set the permissions to make the file readable only by the owner: chmod 400 ssh-server-keys.pem
5. Restart Bitbucket Server. Note that if you have not replaced the key file, a new key file will be generated the first time that an SSH-based git request is made to the server.

Note: Data Center installations use a shared NFS mount of $BITBUCKET_HOME/shared and so all nodes of a Data Center instance use the same SSH key. This is the mechanism by which Bitbucket Data Center avoids DNS spoofing issues on the client side in a multi node setup.