Add the option to disable HTTPS access to repositories (BB-3777)

Issue #3775 open
v2k NA
created an issue

For security purposes, it would be nice to make some repos SSH access only.

Comments (20)

  1. Nicolas Venegas


    I've flagged this issue so that we can look at it during our planning meeting, but apart from someone compromising the password on your account, there really is not security problem with https.



  2. v2k NA reporter

    Yes, but it's obviously a lot more secure if you only have SSH access. It's a lot easier to compromise your password than it is to compromise your private key (and potentially your key's password)

  3. v2k NA reporter

    Assume they both have the same password then.

    It doesn't matter when it's hosted remotely on bitbucket and someone can try logging in an infinite number of times without notice.

    With a private key and password (or even without a password); good luck hacking in.

    I don't think the strength of the password matters when comparing the ease of compromising HTTPS vs SSH; especially if they both have the same password.

  4. Erik van Zijst staff

    Ah, that's unfortunate. What measures will be taken to prevent login attempts?

    We haven't made any decisions yet, but one obvious approach would be to require a CAPTCHA after x number of failed login attempts.

    Feel free to leave suggestions on #3800.

  5. Art Taylor, LLC
    • changed status to open

    This is inadequate. Key management also prevents access from unauthorized machines, as we can prevent key shipment via layer 7 inspection and physical device management.

    A minimal workaround is an admin changing the password after the key is added to the user account.

  6. Samson Peter

    guys did bitbucket add ssh key only access as yet ? let me give you another scenario in our case we don't want devs accessing project out-side office premisses with better without better key management feature i don't see this possible

  7. James Cooke

    Is this on your roadmap? It's important to us too, and are considering switching from Project Locker to Bit Bucket for all of our repositories, but this is a sticking point.

  8. Arman Oganesyan

    I'm also waiting for this feature to be implemented. But as we can see this ticket was created four years ago, so we don't have much of chance that this would be done in the nearest future, I guess.

  9. Log in to comment