I was recently added to a bitbucket repository with my company email address. I already have a bitbucket account that uses my personal email address, but we didn’t want to connect those for obvious reasons. Separation of concerns, et cetera.
Bitbucket only allows one ssh key to be added to one account, and my RSA key has already been used with my personal account. Luckily I also have an ed_25519 key as well, which I prefer using anyways, so I added the public version of Ed to the Bitbucket account with my company email address. So far so good!
The problem was when trying to clone the repository–I had no access.
Which also did not make sense, because I had the correct public key added to the correct Bitbucket account, and the account had sufficient privileges, so we went digging!
Running the command
ssh -T -vv email@example.com will get us the necessary bits and pieces:
... debug2: key: /Users/javorszky/.ssh/id_rsa (0x7fa28940dd20) debug2: key: /Users/javorszky/.ssh/id_dsa (0x0) debug2: key: /Users/javorszky/.ssh/id_ecdsa (0x0) debug2: key: /Users/javorszky/.ssh/id_ed25519 (0x7fa28940f320) debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: RSA SHA256:<redacted> /Users/javorszky/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 279 ...
The above tells us that it found a valid RSA and a valid ED25519 key and chose to send the RSA key. Which means even though I have two accounts, each identified by different keys, it defaults to the RSA key, so Bitbucket always tries to identify me as my personal Bitbucket account, which does not have access to the repository with my company access.
So let’s work around that.
The great thing about ssh is that you can create shorthands and aliases and specify all sorts of different things! On macOS you should have a
~/.ssh/config file. If you edit that, you can put host-specific configurations there.
To solve the current problem, add this to the config file:
... Host bitbucket HostName bitbucket.org IdentityFile ~/.ssh/id_ed25519 IdentitiesOnly yes ...
The above means that the alias is going to be
bitbucket (notice that there’s no
.org at the end of it). The
HostName is where it redirects (the true address of it). The
IdentityFile is the key to use, and
IdentitiesOnly yes means that connection is only allowed through a public key.
Cloning the repository with
git clone git@bitbucket:user\repo.git will use Ed to identify me, and uses my company account, because the ssh config file is used, and there’s an entry for
.org). If I clone the repository with
git clone firstname.lastname@example.org:user\repo.git, I’m using the RSA key, and I am my personal account.