Bitbucket vs. Bitbucket

I was recently added to a bitbucket repository with my company email address. I already have a bitbucket account that uses my personal email address, but we didn’t want to connect those for obvious reasons. Separation of concerns, et cetera.

Bitbucket only allows one ssh key to be added to one account, and my RSA key has already been used with my personal account. Luckily I also have an ed_25519 key as well, which I prefer using anyways, so I added the public version of Ed to the Bitbucket account with my company email address. So far so good!

The problem was when trying to clone the repository–I had no access.

Which also did not make sense, because I had the correct public key added to the correct Bitbucket account, and the account had sufficient privileges, so we went digging!

Verbose it!

Running the command ssh -T -vv [email protected] will get us the necessary bits and pieces:

debug2: key: /Users/javorszky/.ssh/id_rsa (0x7fa28940dd20)
debug2: key: /Users/javorszky/.ssh/id_dsa (0x0)
debug2: key: /Users/javorszky/.ssh/id_ecdsa (0x0)
debug2: key: /Users/javorszky/.ssh/id_ed25519 (0x7fa28940f320)
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:<redacted> /Users/javorszky/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279

The above tells us that it found a valid RSA and a valid ED25519 key and chose to send the RSA key. Which means even though I have two accounts, each identified by different keys, it defaults to the RSA key, so Bitbucket always tries to identify me as my personal Bitbucket account, which does not have access to the repository with my company access.

So let’s work around that.

Solve it!

The great thing about ssh is that you can create shorthands and aliases and specify all sorts of different things! On macOS you should have a ~/.ssh/config file. If you edit that, you can put host-specific configurations there.

To solve the current problem, add this to the config file:

Host bitbucket
    IdentityFile ~/.ssh/id_ed25519
    IdentitiesOnly yes

The above means that the alias is going to be bitbucket (notice that there’s no .org at the end of it). The HostName is where it redirects (the true address of it). The IdentityFile is the key to use, and IdentitiesOnly yes means that connection is only allowed through a public key.

Cloning the repository with git clone [email protected]:user\repo.git will use Ed to identify me, and uses my company account, because the ssh config file is used, and there’s an entry for bitbucket (no .org). If I clone the repository with git clone [email protected]:user\repo.git, I’m using the RSA key, and I am my personal account.