Issue Update your Bitbucket Cloud SSH Host Keys

[harry@positiveachieve]

Server operating system version

Ubuntu 20.04 x86_64

Plesk version and microupdate number

Plesk Obsidian 18.0.49.2

This is an update that has recently been made to bitbucket here. In Plesk I use Git ext to pull changes on bitbucket to the site on Plesk, when trying to add a repo to a site we get this error:

• Cloning into bare repository '/var/www/vhosts/[site-url]/git/vle.git'...
• Public key for the server at 'bitbucket.org' is already known in '/var/www/vhosts/[site-url]/.ssh/git_known_hosts'.
• @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
• @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
• @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
• IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
• Someone could be eavesdropping on you right now (man-in-the-middle attack)!
• It is also possible that a host key has just been changed.
• The fingerprint for the RSA key sent by the remote host is
• SHA256:46OSHA1Rmj8E8ERTC6xkNcmGOw9oFxYr0WF6zWW8l1E.
• Please contact your system administrator.
• 1* Add correct host key in /var/www/vhosts/[site-url]/.ssh/git_known_hosts to get rid of this message.
• Offending RSA key in /var/www/vhosts/[site-url]/.ssh/git_known_hosts:1
• remove with:
• 2* ssh-keygen -f "/var/www/vhosts/[site-url]/.ssh/git_known_hosts" -R "bitbucket.org"
• RSA host key for bitbucket.org has changed and you have requested strict checking.
• Host key verification failed.
• fatal: Could not read from remote repository.
• 
  
• Please make sure you have the correct access rights
• and the repository exists.

1* How do I get the correct host key?
2* This is the message i get when using the command:
# Host bitbucket.org found: line 1
/var/www/vhosts/[site-url]/.ssh/git_known_hosts:8: invalid line
/var/www/vhosts/[site-url]/.ssh/git_known_hosts is not a valid known_hosts file.
Not replacing existing known_hosts file because of errors

 

[mr-wolf]

Like the message says:

run

ssh-keygen -f "/var/www/vhosts/[site-url]/.ssh/git_known_hosts" -R "bitbucket.org"

This will remove the key of bitbucket.org out of the local file you have on your server (/var/www/vhosts/[site-url]/.ssh/git_known_hosts)
It will then have nothing to compare with
Then start it again and give "yes" to accept the new public key

When you first started to connect bitbucket.org, the server had another key
There is no certificate checking with a trusted certificate server to vouch that their key is correct.

It's a warning that the bitbucket.org server has changed OR there's a man-in-the-middle
The latter is unlikely.

If it's your own server you're connecting to and you know that this key didn't change, you need to be suspicious.
Here you can't do much more than renew your key by starting a "virgin connect".

A "virgin connect" can be made by removing the key it has stored in a file on your server (known_hosts).
It will not have a public key to compare with and proposes to create it.

 

[harry@positiveachieve]

I already ran the command, and in 2* is the message I got. This is me trying to connect to bitbucket, if you click the "here" link, you can see the change they made

This is also a similar issue and i have added a comment there to Question - githhub updated their rsa ssh host key

 

[harry@positiveachieve]

Like the message says:

run


This will remove the key of bitbucket.org out of the local file you have on your server (/var/www/vhosts/[site-url]/.ssh/git_known_hosts)
It will then have nothing to compare with
Then start it again and give "yes" to accept the new public key

When you first started to connect bitbucket.org, the server had another key
There is no certificate checking with a trusted certificate server to vouch that their key is correct.

It's a warning that the bitbucket.org server has changed OR there's a man-in-the-middle
The latter is unlikely.

If it's your own server you're connecting to and you know that this key didn't change, you need to be suspicious.
Here you can't do much more than renew your key by starting a "virgin connect".

A "virgin connect" can be made by removing the key it has stored in a file on your server (known_hosts).
It will not have a public key to compare with and proposes to create it.

already ran the command, and in 2* is the message I got. This is me trying to connect to bitbucket, if you click the "here" link, you can see the change they made

This is also a similar issue and i have added a comment there to Question - githhub updated their rsa ssh host key

 

[mr-wolf]

• /usr/local/psa/admin/sbin/modules/git/git_ssh: line 49: /var/www/vhosts/[site-url]/.ssh/git_known_hosts: Permission denied

You do NOT have access to the file git_known_hosts

You are running it with a user that doesn't have write permissions to that file and you have to solve that first.

I suspect you are running the command with the user "root" and you expect to always have permissions to all files.

This is not true anymore (by default) !!

In newer Linux versions (>4.19) this has become deprecated.
If a file of user "harry" has only write permissions for user it means only "harry" can write or read it.
Not even root

ls -l /root/.ssh/known_hosts
-rw------- 1 harry psacln 7.5K Nov 6 2022 /root/.ssh/known_hosts

The user root, by default, has NO access to the above file

If you indeed assumed root has access to all files (even the above) and this applies your "use case" you should read on:

That behaviour is controlled by the system's kernel variable 'fs.protected_regular'

Run the command sysctl fs.protected_regular and it will show you its value
This is on my system

sysctl fs.protected_regular
fs.protected_regular = 0

I turned it off on mine.
If you want to turn it off too, you can create a file in /etc/sysctl.d/

echo 'fs.protected_regular=0' >/etc/sysctl.d/99-unprotect-fs.conf
sysctl --system

It does however make your system less secure and that's the reason why it's not the default value.

 

[harry@positiveachieve]

• /usr/local/psa/admin/sbin/modules/git/git_ssh: line 49: /var/www/vhosts/[site-url]/.ssh/git_known_hosts: Permission denied

You do NOT have access to the file git_known_hosts

You are running it with a user that doesn't have write permissions to that file and you have to solve that first.

I suspect you are running the command with the user "root" and you expect to always have permissions to all files.

This is not true anymore (by default) !!

In newer Linux versions (>4.19) this has become deprecated.
If a file of user "harry" has only write permissions for user it means only "harry" can write or read it.
Not even root



The user root, by default, has NO access to the above file

If you indeed assumed root has access to all files (even the above) and this applies your "use case" you should read on:

That behaviour is controlled by the system's kernel variable 'fs.protected_regular'

Run the command sysctl fs.protected_regular and it will show you its value
This is on my system


I turned it off on mine.
If you want to turn it off too, you can create a file in /etc/sysctl.d/




It does however make your system less secure and that's the reason why it's not the default value.

So in the plesk files display, the user and group are root, so i would have permission and the permission is rw- r-- r-- .

 

[mr-wolf]

I can only tell you things for which you give info.
I also don't know what you know or don't know, I can only presume and give you as much info.

You need to be the judge of what is applicable to your situation.

You don't give examples which makes it clear for me what the user name and permissions are for the file git_known_hosts
I have seen the output of the command and it says it has no access to the file.
This is clearly a permission problem.

There is no use of going a step further.
You need to solve that first.

Do you know what those permissions mean ( u, g, o )???
If you say the files themselves are root, it means the shell that's running the command has to be root as well.

But I don't think you are running those command as root
I think you are running it as the site-owner.
In that case you have to change the file to match that.

So in the plesk files display, the user and group are root, so i would have permission and the permission is rw- r-- r-- .

I don't think the Plesk-extension can run as root as that would not be a good thing.
Everything is done as the site-owner.
Of course it can't access a file whose owner is root with those permissions.

With this you can fix all permissions of that site.

plesk repair fs <site> -y -v

 

[harry@positiveachieve]

I can only tell you things for which you give info.
I also don't know what you know or don't know, I can only presume and give you as much info.

You need to be the judge of what is applicable to your situation.

You don't give examples which makes it clear for me what the user name and permissions are for the file git_known_hosts
I have seen the output of the command and it says it has no access to the file.
This is clearly a permission problem.

There is no use of going a step further.
You need to solve that first.

Do you know what those permissions mean ( u, g, o )???
If you say the files themselves are root, it means the shell that's running the command has to be root as well.

But I don't think you are running those command as root
I think you are running it as the site-owner.
In that case you have to change the file to match that.



I don't think the Plesk-extension can run as root as that would not be a good thing.
Everything is done as the site-owner.
Of course it can't access a file whose owner is root with those permissions.

With this you can fix all permissions of that site.

I know and if you would like to know anything I will try and provide it. I appreciate your help.

Is there a command that I can use to tell who I am logged in as? I access this from Plesk, in tools they have SSH Terminal and it says root@steamy-jordan

I'm not sure what you mean here, Do you know what those permissions mean ( u, g, o )???

If the shell isnt running as root, would that mean I wouldnt be allowed to make changes to file if the permission were rw- r-- r-- root?

 

[harry@positiveachieve]

I can only tell you things for which you give info.
I also don't know what you know or don't know, I can only presume and give you as much info.

You need to be the judge of what is applicable to your situation.

You don't give examples which makes it clear for me what the user name and permissions are for the file git_known_hosts
I have seen the output of the command and it says it has no access to the file.
This is clearly a permission problem.

There is no use of going a step further.
You need to solve that first.

Do you know what those permissions mean ( u, g, o )???
If you say the files themselves are root, it means the shell that's running the command has to be root as well.

But I don't think you are running those command as root
I think you are running it as the site-owner.
In that case you have to change the file to match that.



I don't think the Plesk-extension can run as root as that would not be a good thing.
Everything is done as the site-owner.
Of course it can't access a file whose owner is root with those permissions.

With this you can fix all permissions of that site.

Still getting this error when using this: ssh-keygen -f "/var/www/vhosts/[site-url]/.ssh/git_known_hosts" -R "bitbucket.org"


# Host bitbucket.org found: line 1
/var/www/vhosts/[site-url]/.ssh/git_known_hosts:8: invalid line
/var/www/vhosts/[site-url]/.ssh/git_known_hosts is not a valid known_hosts file.
Not replacing existing known_hosts file because of errors

 

[mr-wolf]

If you login as root and invoke this command

plesk repair fs <site> -y -v

It should fix all permissions of your site.
It would also fix the git_known_hosts owner. (edit: No, it doesn't)
You can also do it by yourself with the chown command.

 

[harry@positiveachieve]

If you login as root and invoke this command


It should fix all permissions of your site.
It would also fix the git_known_hosts owner.
You can also do it by yourself with the chown command.

what does the -y and -v do? i ran plesk repair fs <site> and got:

Checking virtual hosts' file system ................................. [OK]

Error messages: 0; Warnings: 0; Errors resolved: 0

 

[mr-wolf]

I though it would fix all ownerships and permissions of files in /var/www/vhosts/<site>/
-y means yes to all
-v means verbose...

Apperently only a limited subset....

You need to do it manually!!

chown <site-owner> /var/www/vhosts/<site-folder>/.ssh/git_known_hosts

 

[harry@positiveachieve]

I though it would fix all ownerships and permissions of files in /var/www/vhosts/<site>/
-y means yes to all
-v means verbose...

Apperently only a limited subset....

You need to do it manually!!

Thank you for getting back to me, so <site-owner> should be who i am logged in as in the shell? what id the format of the <site-owner>?

 

[harry@positiveachieve]

Here is the interface on plesk for git. This is the old ssh-rsa public key, but that needs to change to the new key define in the article ACTION REQUIRED: Update your Bitbucket Cloud SSH Host Keys - Bitbucket.

Usually they are updated automatically, like on my local git. I only needed to re-auth, so as this is a server and there are permission I think it stopped git from making that change, so I need to do it manually

 

[harry@positiveachieve]

I though it would fix all ownerships and permissions of files in /var/www/vhosts/<site>/
-y means yes to all
-v means verbose...

Apperently only a limited subset....

You need to do it manually!!

in the article it says this:

IDENTIFY IF YOUR CLIENT IS IMPACTED​

To verify which host key your SSH client is using, you can run the following command:

$ ssh [email protected] host_key_info

my output is:

ssh [email protected] host_key_info
The authenticity of host 'bitbucket.org (2406:da00:ff00::22c5:2ef4)' can't be established.
ECDSA key fingerprint is SHA256:FC73VB6C4OQLSCrjEayhMp9UMxS97caD/Yyi2bhW/J0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'bitbucket.org,2406:da00:ff00::22c5:2ef4' (ECDSA) to the list of known hosts.
[email protected]: Permission denied (publickey).