Encrypted copies of Bitbucket SSH keys leaked

Encrypted copies of Bitbucket SSH keys leaked(bitbucket.org)

2 points by dentarg 2 years ago | 3 comments

necovek 2 years ago |

Title made it confusing: how did bitbucket even have users' SSH keys?

However, it seems to be about their host keys. The article seems down for me, but https://bitbucket.org/blog/ has a title "ACTION REQUIRED: Update your Bitbucket Cloud SSH Host Keys".

That means that you need to drop their entries from your known_hosts file or you risk a MITM attack on an insecure network.

Considering we usually blindly accept new SSH hosts without checking for fingerprints (eg on new or reinstalled machines), it's probably unlikely this will be exploited in the wild since it already could have been.

necovek 2 years ago | |

Another point worth bringing up: it'd be nice if we set up either a PGP-like trust ring for host SSH signatures, or relied on a set of CAs like we do for TLS.

Something as simple as confirm-fingerprint-over-https (eg. look for https://ssh-host/.host-ssh-fingerprint) could work if enough ssh clients used it.

dentarg 2 years ago | | |

You can do that with DNS (preferably DNSSEC is used): https://en.wikipedia.org/wiki/SSHFP_record, https://man.openbsd.org/ssh_config#VerifyHostKeyDNS