1. Bitbucket Website
  2. Public Issue Tracker
  3. master

Issues

Issue #7741 resolved

Another "conq: repository access denied." issue

Marvin Jacobsz
created an issue

Hi,

I noticed there are quite some posts on the subject already, but none seem to adequately describe my problem.

We, as an organisation, host the code of a couple of our projects here on bitbucket. For one of these projects, we have a Continuous Integration server, that pulls in the code on every commit. Since a month or two, suddenly all builds began to fail with the message: "conq: repository access denied."

Logging in to this machine, and trying stuff like "git ls-remote" to debug the problem, also issues this error. I (re)checked my ssh- and git configuration, like described by you guys in this and this document, and everything seems in order.

Now comes the weirdest part: On the server I tried to clone the repo of the project in a temp folder. This failed with the same conq error again. Then I tried to clone the repo of another project we host here on bitbucket in the temp folder, and tada, that worked! This is quite strange, because I did not add the deployment key of the machine to that project at all.

So, somehow the server is able to successfully setup a ssh connection to bitbucket (it can clone repo's), so the ssh settings on the machine are probably correct, but for some specific repo's the connection fails. This conclusion seems correct, right?

I'm quite puzzled now, so any ideas or suggestions are highly appreciated!

Comments (18)

  1. Jesper Nøhr

    Marvin,

    I think your configuration is offering up a different SSH key than what you're assuming it is. Can you run "ssh -T -v hg@bitbucket.org" and see whether the correct key is being offered? This will also output which user you're authenticating as, which may help shed light on the issue.

  2. Marvin Jacobsz reporter

    Hi Jesper,

    I got this:

    jenkins@mica:~/jobs/EU1$ ssh -T -v git@bitbucket.org
    OpenSSH_5.5p1 Debian-6+squeeze3, OpenSSL 0.9.8o 01 Jun 2010
    debug1: Reading configuration data /var/lib/jenkins/.ssh/config
    debug1: Applying options for bitbucket.org
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to bitbucket.org [131.103.20.168] port 22.
    debug1: Connection established.
    debug1: identity file /var/lib/jenkins/.ssh/id_rsa type 1
    debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
    debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
    debug1: identity file /var/lib/jenkins/.ssh/id_rsa-cert type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
    debug1: match: OpenSSH_5.3 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'bitbucket.org' is known and matches the RSA host key.
    debug1: Found key in /var/lib/jenkins/.ssh/known_hosts:3
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey
    debug1: Next authentication method: publickey
    debug1: Offering public key: /var/lib/jenkins/.ssh/id_rsa
    debug1: Remote: Forced command: conq username:rmies
    debug1: Remote: Port forwarding disabled.
    debug1: Remote: X11 forwarding disabled.
    debug1: Remote: Agent forwarding disabled.
    debug1: Remote: Pty allocation disabled.
    debug1: Server accepts key: pkalg ssh-rsa blen 279
    debug1: read PEM private key done: type RSA
    debug1: Remote: Forced command: conq username:rmies
    debug1: Remote: Port forwarding disabled.
    debug1: Remote: X11 forwarding disabled.
    debug1: Remote: Agent forwarding disabled.
    debug1: Remote: Pty allocation disabled.
    debug1: Authentication succeeded (publickey).
    debug1: channel 0: new [client-session]
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: Sending environment.
    conq: logged in as rmies.
    
    You can use git or hg to connect to Bitbucket. Shell access is disabled.
    debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
    debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
    debug1: channel 0: free: client-session, nchannels 1
    Transferred: sent 2280, received 2888 bytes, in 0.3 seconds
    Bytes per second: sent 9062.5, received 11479.2
    debug1: Exit status 0
    
    1. This is the correct key.
    2. Apparently, I log in as 'rmies'(?). I don't really get this, because when I do "ssh -T -v git@bitbucket.org", then I should be logged in as the user "git", right?
  3. Jesper Nøhr

    Marvin,

    Unfortunately that is not how it works. You will log in as 'git' or 'hg' over SSH, and we identify you based on the key you're providing, not the username. As you can see, you're giving the key for 'rmies', which gives the expected result. You'd want to provide the other key (via 'ssh -i') to identify as another user. Hope that clears things up!

  4. yi fu

    Hi, Jesper, I meet the same problem, but even if I supply the key file with -i option, ssh still use the wrong key to authenticate. why is it ?

  5. Brian Nguyen

    Hi,

    This is usually a configuration issue, but its hard to tell without further investigation. Rather than spam Marvin, could you email us at support@bitbucket.org and we'll help you out.

    In the email, can you also include the output of ssh -T -v git@bitbucket.org?

    Cheers, Brian

  6. Gustavo Sales

    How do I generate a key for another bitbucket user? I heve 2 account and I could not figure out how to create a key to login as gustavosales only as vatsu, as follows:

    OpenSSH_5.6p1, OpenSSL 0.9.8y 5 Feb 2013
    debug1: Reading configuration data /Users/vatsu/.ssh/config
    debug1: Applying options for repos.inspira
    debug1: Reading configuration data /etc/ssh_config
    debug1: Applying options for *
    debug1: Connecting to bitbucket.org [131.103.20.167] port 22.
    debug1: Connection established.
    debug1: identity file /Users/vatsu/.ssh/inspira_rsa type 1
    debug1: identity file /Users/vatsu/.ssh/inspira_rsa-cert type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
    debug1: match: OpenSSH_5.3 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.6
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'bitbucket.org' is known and matches the RSA host key.
    debug1: Found key in /Users/vatsu/.ssh/known_hosts:15
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: /Users/vatsu/.ssh/github_rsa
    debug1: Remote: Forced command: conq username:vatsu
    debug1: Remote: Port forwarding disabled.
    debug1: Remote: X11 forwarding disabled.
    debug1: Remote: Agent forwarding disabled.
    debug1: Remote: Pty allocation disabled.
    debug1: Server accepts key: pkalg ssh-rsa blen 279
    debug1: Remote: Forced command: conq username:vatsu
    debug1: Remote: Port forwarding disabled.
    debug1: Remote: X11 forwarding disabled.
    debug1: Remote: Agent forwarding disabled.
    debug1: Remote: Pty allocation disabled.
    debug1: Authentication succeeded (publickey).
    Authenticated to bitbucket.org ([131.103.20.167]:22).
    debug1: channel 0: new [client-session]
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: Sending environment.
    debug1: Sending env LANG = en_US.UTF-8
    debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
    debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
    logged in as vatsu.
    
    You can use git or hg to connect to Bitbucket. Shell access is disabled.
    debug1: channel 0: free: client-session, nchannels 1
    Transferred: sent 2384, received 2872 bytes, in 0.3 seconds
    Bytes per second: sent 6946.2, received 8368.0
    debug1: Exit status 0
    
  7. daini_dev-admin

    I have two repository, And on my server I am able to clone / pull only one repository, When I try to clone new one Showing this error

    Cloning into '<reponame>'... conq: repository access denied.

    fatal: The remote end hung up unexpectedly

    Need help on this

  8. GRIFFON Antoine

    Hi !

    I go the same issue, can't figure out why.

    Here is my ssh -T -v hg@bitbucket.org :

    OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to bitbucket.org [131.103.20.168] port 22.
    debug1: Connection established.
    debug1: identity file /home/anaxagoovh/.ssh/identity type -1
    debug1: identity file /home/anaxagoovh/.ssh/identity-cert type -1
    debug1: identity file /home/anaxagoovh/.ssh/id_rsa type 1
    debug1: identity file /home/anaxagoovh/.ssh/id_rsa-cert type -1
    debug1: identity file /home/anaxagoovh/.ssh/id_dsa type -1
    debug1: identity file /home/anaxagoovh/.ssh/id_dsa-cert type -1
    debug1: identity file /home/anaxagoovh/.ssh/id_ecdsa type -1
    debug1: identity file /home/anaxagoovh/.ssh/id_ecdsa-cert type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
    debug1: match: OpenSSH_5.3 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.3
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'bitbucket.org' is known and matches the RSA host key.
    debug1: Found key in /home/anaxagoovh/.ssh/known_hosts:2
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey
    debug1: Next authentication method: publickey
    debug1: Trying private key: /home/anaxagoovh/.ssh/identity
    debug1: Offering public key: /home/anaxagoovh/.ssh/id_rsa
    debug1: Remote: Forced command: conq username:driew
    debug1: Remote: Port forwarding disabled.
    debug1: Remote: X11 forwarding disabled.
    debug1: Remote: Agent forwarding disabled.
    debug1: Remote: Pty allocation disabled.
    debug1: Server accepts key: pkalg ssh-rsa blen 279
    debug1: read PEM private key done: type RSA
    debug1: Remote: Forced command: conq username:driew
    debug1: Remote: Port forwarding disabled.
    debug1: Remote: X11 forwarding disabled.
    debug1: Remote: Agent forwarding disabled.
    debug1: Remote: Pty allocation disabled.
    debug1: Authentication succeeded (publickey).
    debug1: channel 0: new [client-session]
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: Sending environment.
    debug1: Sending env LANG = fr_FR.UTF-8
    logged in as driew.
    
    You can use git or hg to connect to Bitbucket. Shell access is disabled.
    debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
    debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
    debug1: channel 0: free: client-session, nchannels 1
    Transferred: sent 2440, received 2872 bytes, in 0.2 seconds
    Bytes per second: sent 12698.7, received 14947.0
    debug1: Exit status 0
    

    Thanks !

  9. Piyush Chitkara

    I had a similar issue. Here is the fix that I did,

    Fix 1: The key was also in one of the other groups that was accessing the repo. Removed it. Fix 2: I assigned the key to the allowed user through the user settings in the bit bucket

    The above two fixes solved the problem!

  10. Felix Cuello

    I had the same issue in a VM when I suddenly realized that my host machine had a ssh key for another bitbucket user, and it was forwarding the key. That key had more precedence than ~/.ssh/id_rsa.pub

    So what I had to do to solve the issue is go to the host machine and do:

    ssh-add -D
    

    To remove all identities from the host machine.

  11. Log in to comment