Bitbucket host key incident

Bitbucket have just announced a security breach because of which they need to replace their host key: more details here: Search on their blog for

ssh-host-key-changes

I went ahead and started a job and ran the ssh command they indicated with the following results:

root@2140c8de25ab:~#  ssh git@bitbucket.org host_key_info
Warning: Permanently added the RSA host key for IP address '18.205.93.1' to the list of known hosts.
You are using host key with fingerprint:
ssh-rsa SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A

WARNING: The host key your client is using will be removed in the near future.

Please configure your client to trust a new host key.

See https://bitbucket.org/blog/ssh-host-key-changes for more details.

My question here is if there’s anything on the user’s side that needs to happen, or is it the image providers or circleci that have to update this?

1 Like

From reading on, it seems to me like the obvious solution here is for the checkout macro to be updated to perform the ssh-keygen -R bitbucket.org && curl https://bitbucket.org/site/ssh >> ~/.ssh/known_hosts command as instructed in the blog post.