Issues

Issue #3775 open

Add the option to disable HTTPS access to repositories (BB-3777)

v2k
created an issue

For security purposes, it would be nice to make some repos SSH access only.

Comments (15)

  1. Nicolas Venegas

    Hi

    I've flagged this issue so that we can look at it during our planning meeting, but apart from someone compromising the password on your account, there really is not security problem with https.

    Regards

    Nicolas

  2. v2k reporter

    Yes, but it's obviously a lot more secure if you only have SSH access. It's a lot easier to compromise your password than it is to compromise your private key (and potentially your key's password)

  3. v2k reporter

    Assume they both have the same password then.

    It doesn't matter when it's hosted remotely on bitbucket and someone can try logging in an infinite number of times without notice.

    With a private key and password (or even without a password); good luck hacking in.

    I don't think the strength of the password matters when comparing the ease of compromising HTTPS vs SSH; especially if they both have the same password.

  4. Erik van Zijst staff

    Ah, that's unfortunate. What measures will be taken to prevent login attempts?

    We haven't made any decisions yet, but one obvious approach would be to require a CAPTCHA after x number of failed login attempts.

    Feel free to leave suggestions on #3800.

  5. Art Taylor, LLC
    • changed status to open

    This is inadequate. Key management also prevents access from unauthorized machines, as we can prevent key shipment via layer 7 inspection and physical device management.

    A minimal workaround is an admin changing the password after the key is added to the user account.

  6. Samson Peter

    guys did bitbucket add ssh key only access as yet ? let me give you another scenario in our case we don't want devs accessing project out-side office premisses with better without better key management feature i don't see this possible

  7. James Cooke

    Is this on your roadmap? It's important to us too, and are considering switching from Project Locker to Bit Bucket for all of our repositories, but this is a sticking point.

  8. Log in to comment