Details
-
Bug
-
Resolution: Invalid
-
Medium
Description
We observed that when fetching a host’s fingerprint via Settings >> Pipelines >> SSH keys, the fingerprint Bitbucket retrieves is based on algorithm ssh-dss. This is no problem when using a Docker image which uses OpenSSH 6, but in OpenSSH 7, ssh-dss is disabled, due to its weakness (see https://www.openssh.com/legacy.html).\\
In our case, this had the effect that known_hosts did work when using the standard PHP image (Debian-based), but failed when using an Alpine image with OpenSSH 7 (with the usual “WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED”).
In other words: when fetching a host’s fingerprint, Bitbucket Cloud should prefer newer algorithms. For instance, when connecting to the very same host for which Bb Cloud retrieved an ssh-des fingerprint, both from my Mac and from the aforementioned Alpine image, the host-key algorithm is ecdsa-sha2-nistp256 .