Setting an SSH key for bitbucket

ssh

#1

Hello,

I’m trying to SSH to circleci after enabling debugging, but I get a “Permission denied (publickey)” error.
So according to this article I generated a new key pair and added an access key for my repository in bitbucket and then added the private key in the project settings under “SSH Permission” with host name “bitbucket.org” according to the steps described here.
I also deleted the deploy key from circleci’s project settings under “Checkout SSH keys”.
Now builds in cricleci are not starting, and there is an error "Your build was not run - reason code (:no-ssh-key)."
This is the build: https://circleci.com/bb/fleetonomy/main/53

There are lots of combinations for SSH key configurations and there isn’t any clear documentation regarding that.
I assume that if I’d like to SSH to circleci, I need to generate a private key, and circleci should have the public key.
How should it be done?

Note - I have beta 2.0 enabled for my project, but the when I fallback into using circle.yml with old format, builds are working.

Thanks,
Edi.


No option to SSH into build
#2

Are you able to run ssh -Tv git@bitbucket.org?


#3

Yes.

edi@ubuntu-edi:~/.ssh$ ssh -i id_bitbucket -Tv git@bitbucket.org
OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to bitbucket.org [104.192.143.1] port 22.
debug1: Connection established.
debug1: identity file id_bitbucket type 1
debug1: key_load_public: No such file or directory
debug1: identity file id_bitbucket-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: Remote protocol version 2.0, remote software version conker_1.0.295-04975b3 app-131
debug1: no match: conker_1.0.295-04975b3 app-131
debug1: Authenticating to bitbucket.org:22 as 'git’
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A
debug1: Host ‘bitbucket.org’ is known and matches the RSA host key.
debug1: Found key in /home/edi/.ssh/known_hosts:8
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: id_bitbucket
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to bitbucket.org ([104.192.143.1]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending environment.
debug1: Sending env LC_PAPER = he_IL.UTF-8
debug1: Sending env LC_ADDRESS = he_IL.UTF-8
debug1: Sending env LC_MONETARY = he_IL.UTF-8
debug1: Sending env LC_NUMERIC = he_IL.UTF-8
debug1: Sending env LC_TELEPHONE = he_IL.UTF-8
debug1: Sending env LC_IDENTIFICATION = he_IL.UTF-8
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending env LC_MEASUREMENT = he_IL.UTF-8
debug1: Sending env LC_TIME = he_IL.UTF-8
debug1: Sending env LC_NAME = he_IL.UTF-8
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
authenticated via a deploy key.

You can use git or hg to connect to Bitbucket. Shell access is disabled.

This deploy key has read access to the following repositories:

fleetonomy/main: bitbucket_circleci – bitbucket_circleci
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3192, received 1856 bytes, in 0.4 seconds
Bytes per second: sent 8680.5, received 5047.3
debug1: Exit status 0


#4

What happens when you hit the Add SSH Key button on your build?


#5

After I click on it, it creates automatically a deploy key under “Checkout SSH keys” section, and the build are working. But I still can’t connect to the session with SSH.

edi@ubuntu-edi:~/.ssh$ ssh -i id_bitbucket -Tv -p 64539 ubuntu@52.15.226.190
OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 52.15.226.190 [52.15.226.190] port 64539.
debug1: Connection established.
debug1: identity file id_bitbucket type 1
debug1: key_load_public: No such file or directory
debug1: identity file id_bitbucket-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Authenticating to 52.15.226.190:64539 as 'ubuntu’
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:RyNJSBdmMAc7oJFN6Kpg2EKehY2VGEvNvxk59ccBwUo
debug1: Host ‘[52.15.226.190]:64539’ is known and matches the ECDSA host key.
debug1: Found key in /home/edi/.ssh/known_hosts:15
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: id_bitbucket
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).


#6

Can you push a build with these commands in the config?

ls -la ~/.ssh
cat ~/.ssh/authorized_keys

You can cancel it or let it run, but you need to rebuild it with SSH.


#7

Did it.
it’s under build https://circleci.com/bb/fleetonomy/main/58
Can you see it?

Thanks


#8

Do either of those keys match your local key? The file is definitely populating correctly.


#9

Actually neither of the keys match.
Maybe you generate the public key from the private key with non default parameters?
I used this one to generate the public key from my private key:
ssh-keygen -y -f “private key file”


#10

You need to add the key to your Bitbucket account manually. From https://circleci.com/bb/fleetonomy/main/edit#checkout :

1. Open Inspect Element in your browser's developer tools.
2. Click Create User Key
3. Find the new public key generated in the Network tab.
4. Go to your Bitbucket account and add it manually.

Sorry for this inconvenience. It is a Bitbucket specific issue that is being addressed, but not fixed.


#11

Did it (still connecting to VM doesn’t work).
But I don’t understand how it helps me connecting to the VM.
Maybe I need to have the private key of this “user key”?


#12

Hi Edi,

I responded to your support ticket, but I’m copying the instructions for anyone else who wants to SSH with Bitbucket projects.


To get Bitbucket SSH working:

  1. Add the CircleCI-generated User Key to Bitbucket. This is the current workaround while we work with Bitbucket automate this via their API:

    a. From the CircleCI project settings page, on the “Checkout SSH Keys” page, open Inspect Element in your browser’s developer tools.
    b. Click Create User Key
    c. Find the new public key generated in the Network tab.
    d. Go to your Bitbucket account and add it manually. (“Bitbucket settings” -> “SSH Keys” -> “Add Key”)

    When this step was successful, I saw “Enable SSH” on a 2.0 “Rebuild with SSH” step, as in the attached screenshot:

  2. Add my local public key to Bitbucket. (Also: “Bitbucket settings” -> “SSH Keys” -> “Add Key”, more info here)

    When this step was successful, I was able to run ssh -Tv git@bitbucket.org, which finished with “debug1: Exit status 0”.

  3. Only after 1 and 2 are complete, run a new build with “Rebuild with SSH”. I tried to SSH into a build that I started before verifying steps 1 or 2 and they still failed.


#13

Thanks Eric.

Just for documentation - it worked for me only when in step 1.d. and step 2, I copied the key to my user’s SSH keys section. When copying it to team’s SSH keys or repository access keys, it doesn’t work.

Best,
Edi.


#14

Thanks! Any plans to fix this issue?


#15