Hello Bitbucket Cloud users,
We recently learned that encrypted copies of Bitbucket’s SSH host keys were included in a data breach of a third-party credential management vendor. The SSH protocol uses host keys to establish the identity of a trusted server for every SSH connection, like when a git pull establishes a SSH connection to Bitbucket Cloud.
In response, Bitbucket issued two new SSH host keys today and will be replacing the current host keys on June 20, 2023. Please review this blog and complete the applicable steps outlined below as soon as possible.
Though we believe the risk of compromise is low, by rotating the host keys proactively we are mitigating future risk should the old host keys be decrypted. If we did not change the host keys it might have been possible in the future for a threat actor to potentially use the old host keys in combination with an already compromised network to trick clients into connecting to and trusting a malicious host.
I want to assure you that a threat actor cannot use the old host keys to directly access your data on Bitbucket Cloud, or to access your private SSH keys.
We understand that rotating host keys can be disruptive. Your security is always our top priority, and we believe that acting proactively is the best approach.
Please read the below for details.
Bala Sathiamurthy, CISO/Head of Security
WHAT’S CHANGING
New host keys added
On May 15, 2023 2300 UTC we added two new host keys using the ECDSA and Ed25519 algorithms:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIQmuzMBuKdWeF4+a2sjSSpBK0iqitSQ+5BM9KhpexuGt20JpTVM7u5BDZngncgrqDMbWdxMWWOGtZ9UgbqgZE= bitbucket.org
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO bitbucket.org
The corresponding fingerprints are:
256 SHA256:FC73VB6C4OQLSCrjEayhMp9UMxS97caD/Yyi2bhW/J0 bitbucket.org (ECDSA)
256 SHA256:ybgmFkzwOSotHTHLJgHO0QN8L0xErw6vd0VhFA9m3SM bitbucket.org (ED25519)
RSA host key rotation
On June 20, 2023 1700 UTC we will replace our current RSA host key with the following:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M= bitbucket.org
The corresponding RSA key fingerprint is:
3072 SHA256:46OSHA1Rmj8E8ERTC6xkNcmGOw9oFxYr0WF6zWW8l1E bitbucket.org (RSA)
DSA host key removal
On June 20, 2023 1700 UTC we will also remove our DSA host key; this key will stop working entirely.
WHAT YOU NEED TO DO
We highly recommend that you immediately switch to using the newer ECDSA or Ed25519 host keys for each of your SSH clients that connect to bitbucket.org, including other applications such as IDEs and CI/CD build system
