[Other doc versions]
[Doc downloads]
A Stash administrator can enable SSH access to Git repositories in Stash. This allows your Stash users to:
Stash users must each add their own SSH key pairs to their Stash account to be able to use SSH access to repositories.
Supported key types are DSA and RSA2. Note that RSA1 is not supported. We've tested key sizes of 768, 1024, 2048, 4096 and 8192 bytes.
On this page:
Related pages:
Performance
There are performance implications for Stash when using SSH. When users connect to Stash using SSH, the encryption of data adds to overall CPU usage. For day-to-day push and pull operations the overhead will not be significant, but when cloning repositories the overhead will be noticeable.
To get the maximum performance from Stash, we advise configuring automatic build tools to use the http or https protocol, if possible. See Scaling Stash for more information.
Security
To implement SSH authentication support, Stash bundles a version of the Apache Mina SSHD server. Stash's SSH server is not integrated with the SSH server on the host Stash is running on nor does it consider the users on the host when authenticating Stash users. To prevent security issues, the embedded SSH server has been locked down to allow execution of a small set of commands for Git hosting. The only commands that are supported are git upload-pack
, git receive-pack
, git archive-pack
and whoami
(a custom whoami
implemented in Stash not the whoami
command that exists on Linux). It is not possible to open an SSH shell using the embedded server to execute arbitrary commands on the server.
To enable SSH access:
The SSH base URL is the base URL with which users can access the SSH push/pull/clone functionality of Stash.
This is the base URL that Stash will use when displaying SSH URLs to users. If you do not set this, it will default to the host that is set in Stash base URL, with the port that SSH is listening on. See Specifying the base URL for Stash.
For example, if the SSH base URL is not set and the Stash base URL is https://stash.atlassian.com
and the SSH port is 7999
, the SSH URL for the repository Jira
in the project Atlassian
will be ssh://git@stash.atlassian.com:7999/ATLASSIAN/jira.git
If you set up port forwarding, you will need to set the SSH base URL to the machine and port that is being forwarded to Stash. However, you do not need to specify the port portion of the URL if the default SSH port (port 22) is being forwarded to Stash.
Port forwarding | SSH base URL | Stash base URL | SSH port | Resulting SSH URL for a repo |
---|---|---|---|---|
Not set |
| 7999 | ssh://git@stash.atlassian.com:7999/<projectname>/<reponame>.git | |
Port 22 -> 7999 |
|
| 7999 | ssh://git@stash.atlassian.com/<projectname>/<reponame>.git |
If you run Stash behind a http proxy such as Apache (e.g. as per our instructions), and if Apache runs on a different host, SSH will not be available on that host. Instead, you will need to set the SSH base URL to the machine Stash is actually running on (and the URL should include the SSH port Stash is serving from).
For example, if the SSH base URL is set to ssh://stash.backend.atlassian.com:7999
, the SSH URL for the repository Jira
in the project Atlassian
will be ssh://git@stash.backend.atlassian.com:7999/ATLASSIAN/jira.git
If you set up port forwarding, you will need to set the SSH base URL to the proxy machine and port that is being forwarded to Stash. However, you do not need to specify the port portion of the URL if the default SSH port (port 22) is being forwarded to Stash.
For example, if you set up port forwarding from your http proxy host, stash.atlassian.com
, port 22, to stash.backend.atlassian.com
port 7999, set the SSH base URL to ssh://stash.atlassian.com
. Then, the SSH URL for the repository Jira
in the project Atlassian
will be ssh://git@stash.atlassian.com/ATLASSIAN/jira.git
Port forwarding | SSH base URL | SSH port | Stash base URL | Resulting SSH URL for a repo |
---|---|---|---|---|
ssh://stash.backend.atlassian.com:7999 | 7999 |
| ssh://git@stash.backend.atlassian.com:7999/<projectname>/<reponame>.git | |
Port 22 -> 7999 |
| 7999 |
| ssh://git@stash.atlassian.com/<projectname>/<reponame>.git |
Port 44 -> 7999 |
| 7999 |
| ssh://git@stash.atlassian.com:44/<projectname>/<reponame>.git |