112

I want to clone a remote repository to my local machine. I used the command: 

git clone [email protected]:<username>/<repo_name>.git

and I got the message:

The authenticity of host 'bitbucket.org (104.192.143.3)' can't be
established. RSA key fingerprint is
SHA256:****. Are you sure you
want to continue connecting (yes/no)?  Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights and the repository
exists.

I just want to mention that I already took care of the ssh issues. I generated an ssh key by the command 'ssh-keygen' and I copied the contents of ~/.ssh/id_rsa.pub to Bitbucket Settings -> SSH keys (according to this link: https://confluence.atlassian.com/bitbucket/set-up-ssh-for-git-728138079.html)

I also looked at my "user and group access" and I saw this:

enter image description here

Can you advise me what to do?

Improve this question
6
  • Have you checked permissions on this project?
    – Ivan
    Commented Nov 13, 2016 at 18:34
  • How do I check it? Is it Settings -> Branch Permissions ?
    – CrazySynthax
    Commented Nov 13, 2016 at 19:28
  • No. Go to the repository -> Settings -> User and groups access
    – Ivan
    Commented Nov 13, 2016 at 20:05
  • I added the screenshot to the original post
    – CrazySynthax
    Commented Nov 13, 2016 at 20:09
  • "Host key verification failed"!!!
    – Jakuje
    Commented Nov 13, 2016 at 20:21

11 Answers 11

Reset to default
149

The message says

Host key verification failed.

nothing about authentication, so you are working on the wrong field. It means that the host key of the bitbucket.org is not in your ~/.ssh/known_hosts and your client does not have any way how to verify it. It was answered many times how to workaround it, but how to do it properly?

There is section in the bitbucket manuals, describing how their public keys and fingerprint looks like. So:

  1. Run ssh bitbucket.org

  2. It will prompt you with one of the fingerprints:

    The authenticity of host 'bitbucket.org (104.192.143.3)' can't be established.
RSA key fingerprint is SHA256:*****.
Are you sure you want to continue connecting (yes/no)?

  3. You verify the fingerprint in the prompt is the same as on the bitbucket website:

    SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A bitbucket.org (RSA)

  4. You write yes and press enter to verify the connection works.

Or just copy the public key from the bitbucket website directly in the ~/.ssh/known_hosts file

echo "bitbucket.org,104.192.143.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==" >> ~/.ssh/known_hosts

if nothing from the above helps, please run ssh -vvv bitbucket.org and post the output to the edited question.

Improve this answer
6
  • 1
    When I type: "ssh bitbucket.org" I get: The authenticity of host 'bitbucket.org (104.192.143.3)' can't be established. RSA key fingerprint is SHA256:*****. Are you sure you want to continue connecting (yes/no)? yes Host key verification failed.
    – CrazySynthax
    Commented Nov 13, 2016 at 20:48
  • "2. It will prompt you with one of the fingerprints" = "RSA key fingerprint is SHA256:*****." (from the link in the post).
    – Jakuje
    Commented Nov 13, 2016 at 20:49
  • 1
    @BrunoBronosky the public key fingerprints are still available on the BitBucket website, which also has some further details.
    – Alex
    Commented Dec 22, 2017 at 11:29
  • 1
    Thanks, @Alex. I added the new URL to the answer.
    – Bruno Bronosky
    Commented Dec 23, 2017 at 5:21
  • 1
    I updated the link again; the original one only has MD5, not SHA-256. I finally find the answer thanks to this Q&A. Bitbucket is good at hiding the SSH keys, which doesn’t sound right; the SSH key should be well-known for SSH trust model to work. It should be the first result from Googling “Bitbucket host key”. In contrast, GitHub public key is typically the first result.
    – Franklin Yu
    Commented Oct 10, 2018 at 4:17
81

Update May/June 2023:

ACTION REQUIRED: Update your Bitbucket Cloud SSH Host Keys

New host keys added

  • On May 15, 2023 2300 UTC we added two new host keys using the ECDSA and Ed25519 algorithm
  • On June 20, 2023 1700 UTC we will replace our current RSA host key
  • On June 20, 2023 1700 UTC we will also remove our DSA host key; this key will stop working entirely.

So... TLDR; (even on Windows):

ssh-keygen -R bitbucket.org && curl https://bitbucket.org/site/ssh >> ~/.ssh/known_hosts

Note: Before June, the content of https://bitbucket.org/site/ssh is still the old keys.

That will add the new official keys from Bitbucket to your ~/.ssh/known_hosts:

bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=

bitbucket.org ssh-dss AAAAB3NzaC1kc3MAAACBAO53E7Kcxeak0luot3Z5ulOQJoLRBcnBQb0gpUfNL5rZW63fBubfXLbpZc2/GnHxRiFa2okTPvBULJZnjwXltyoRfjPICRLfH/ep3mZj6CVUyQgxES27CS1bEjMw8+S6hLlJF4dKqOIWH5+Ed+lo8ezzXbzcEj7R5h9xGgfY55HfAAAAFQDE/aqj+0sxv/ZRS3ArGxMHGYFebwAAAIEA6lZ68WgDMrR28iXIicJ7AnXPnZKzQK7xK68feKlYo9LcEkKTF3AZIE5nEvtn+ZYwZ5cKE3XKeU42aesAEAUxX9cUEzhi87q6PQagD6ZPcU89CCVlWsG8cKYCZ6VtMfcLU06grNfvl450KCHltWTaoBHdi9f8eFo3Gydg6JhyNJ8AAACAThcLJmru5QtpHo9wctg5jHKxv1BLPndKs3dVwAQwcd2sugoymGeH7IjBSFLqHsyl7XpDik4mH/YdkVwb1jAwA+JOu2gHpsSXLY22At+LKn6NHdL/qqbIf7ellnKXfEo+wz6DfGihaczY931WrjkEEsq1453/4BwQpAXrz2zbRSI=

bitbucket.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIQmuzMBuKdWeF4+a2sjSSpBK0iqitSQ+5BM9KhpexuGt20JpTVM7u5BDZngncgrqDMbWdxMWWOGtZ9UgbqgZE=

bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO

Why?

We recently learned that encrypted copies of Bitbucket’s SSH host keys were included in a data breach of a third-party credential management vendor.

The SSH protocol uses host keys to establish the identity of a trusted server for every SSH connection, like when a git pull establishes a SSH connection to Bitbucket Cloud.

Though we believe the risk of compromise is low, by rotating the host keys proactively we are mitigating future risk should the old host keys be decrypted.

If we did not change the host keys it might have been possible in the future for a threat actor to potentially use the old host keys in combination with an already compromised network to trick clients into connecting to and trusting a malicious host.

Čamo notes int he comments that if you still have the error:

Warning: the ECDSA host key for 'bitbucket.org' differs from the key for the IP address '104.192.141.1

Then you can, as in this thread do:

We had to add a newline to the end of the curl command that was provided in the guide.

The warning message you are receiving is likely related to old entries on your known_hosts file that are pointing to the Bitbucket IP, instead of the domain name bitbucket.org.

To resolve this issue, you can remove the older entries and store the new ones using the following command :

ssh-keygen -R bitbucket.org && sed -i.old -e '/AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/d' ~/.ssh/known_hosts && curl https://bitbucket.org/site/ssh >> ~/.ssh/known_hosts

Improve this answer
6
  • Just a note for Windows users. I had to put the keys here: C:\Windows\System32\config\systemprofile\.ssh\known_hosts
    – Andy
    Commented Jun 23, 2023 at 17:49
  • @Andy Only if you are using an Administrator account, as seen here. $HOME is set to %USERPROFILE%, so make sure to use a regular account.
    – VonC
    Commented Jun 23, 2023 at 19:38
  • I did all what is in the documentation. But I am getting an error: Warning: the ECDSA host key for 'bitbucket.org' differs from the key for the IP address '104.192.141.1'
    – Čamo
    Commented Jul 25, 2023 at 11:15
  • @Čamo Make sure you have run ssh-keygen -R bitbucket.org and that you do not see any reference to bitbucket in ~/.ssh/known_hosts: open the file and check. Then add the new keys.
    – VonC
    Commented Jul 25, 2023 at 11:34
  • 1
    @Čamo Thank you for your feedback. I have edited the answer to include your comment. Let me know if I have copied the right solution from the thread you mentioned.
    – VonC
    Commented Jul 25, 2023 at 12:07
35 
mkdir ~/.ssh
touch ~/.ssh/known_hosts
ssh-keyscan bitbucket.org >> ~/.ssh/known_hosts
Improve this answer
2
  • 3
    If the DNS is already spoofed, this will not protect you from anything.
    – Jakuje
    Commented Apr 4, 2020 at 18:10
  • 2
    Why would you need to touch the file if the >> would create it for you already
    – Andre Miras
    Commented Oct 15, 2021 at 11:42
12

only need to run the following command without any addition:

ssh-keygen -R bitbucket.org
Improve this answer
7

You'll get the same error:

Host key verification failed.

in case you press enter instead of answering the question:

Are you sure you want to continue connecting (yes/no/[fingerprint])?

with yes

Improve this answer
0
6

The following steps worked for me personally, I have SSH key registered on BitBucket beforehand. On Windows:

  1. Go to C:/Users/<your_username>/.ssh/known_hosts
  2. Delete the lines where start with bitbucket.org
  3. Run ssh bitbucket.org and follow instructions
Improve this answer
1
  • simple as that, this is what i needed on windows 10. Maybe i missed in previous answers, but here is simply stated in step 2. - to remove what is needed.
    – Stefan
    Commented Jun 29, 2023 at 15:20
2

As already answered, the problem is that the .ssh/known_hosts file does not contain the updated fingerprints. Atlassian sent me a lot of emails but still I forgot a couple of places to upgrade before the fingerprints switch-off.

My basic solution is to add new fingerprints directly from bitbucket itself (curl https://bitbucket.org/site/ssh) after you made a safety copy of the file. The last command is just a check.

cp ~/.ssh/known_hosts ~/.ssh/known_hosts.old
curl https://bitbucket.org/site/ssh >> ~/.ssh/known_hosts
ssh [email protected] host_key_info
Improve this answer
0

In macos, after following all the steps on here, I got this error.

Turned out that bitbucket's key (including .pub file) was generated in home(~) directory and in the ~/.ssh/config file (where both .ssh folder and config file, I created myself), we have to provide the path to that key. So, for me it looked like

Host bitbucket.org
  AddKeysToAgent yes
  IdentityFile ~/ssh-key-name
Improve this answer
0

I have this issue with SourceTree because I use openSSH but Putty / Plink was set.

Improve this answer
0

I know this is a old thread. I landed on this page from Google search because I faced the same error. I was able to resolve this issue in another way and is not in any of the above answers.

Solution - Instead of using the SSH url from bitbucket, I used the HTTPS url on Git CMD prompt and it worked

e.g. git clone https://[email protected]/companyservices/projectname.git

Improve this answer
-3

If you already have ssh enabled do copy all the files from .ssh folder inside backup folder before following steps

  1. Open Git Bash and type ssh-keygen, and press Enter three times (one for location, and two for empty passphrase).
  2. It will create .ssh folder if not present and creates two files id_rsa & id_rsa.pub inside .ssh folder.
  3. Now go to Bitbucket settings -> ssh keys -> aad key
  4. Paste id_rsa.pub string in Bitbucket and press ok.
  5. Restart Git Bash
  6. Try to clone repo. It should work now.
Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.