Resolving “no mutual signature supported” SSH authentication error between HCP Terraform and Bitbucket Data Center

Avatar
Neha Bansal
  • Updated

Introduction

Problem

Terraform cannot retrieve configuration from the remote Bitbucket repository. The SSH connection fails during key negotiation. terraform plan failing with following error:

Error: failed to retrieve configuration

Retrieving the configuration version failed with the error: Internal error: SIC-001.

Failed to ingress entity: operation failed: Failed to reach repo: Failed on ls-remote: exit status 128 Output:Warning: Permanently added '[bitbucket.xxx.xxxx.co.xx]:7x9x' (RSA) to the list of known hosts. sign_and_send_pubkey: no mutual signature supported git@bitbucket.xxx.xxx.co.xx: Permission denied (publickey). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. 

 

Cause

With recent security hardening in Bitbucket Data Center (including version 10.1.4 and later), legacy RSA (ssh-rsa) keys using deprecated SHA-1 signatures are no longer accepted by default.

If HCP Terraform (or your SSH configuration) is still using an old RSA key, the SSH handshake fails because:

  • Bitbucket no longer accepts the deprecated ssh-rsa signature algorithm.

  • The client and server cannot agree on a mutually supported signature algorithm.

  • Authentication fails before repository access is granted.

This results in Terraform being unable to perform git ls-remote, which causes the SIC-001 error.

 

Solution:

  1. The solution is suggested by Atlassian team, reference document We need to replace the deprecated keys and generate it using a supported and more secure algorithm such as ECDSA and ED25519.

  2. Configure the connection with newly generated keys.

  3. Trigger a no-op commit. 

 

Outcome

Authentication with Bitbucket server would get succeed 

After replacing deprecated RSA keys with ED25519 or ECDSA, SSH handshake will succeed and SIC-001 error would get resolved.

 

Additional Information

Release page::https://confluence.atlassian.com/bitbucketserver/bitbucket-data-center-10-1-release-notes-1671462965.html

Solution suggested by Atlassian: https://support.atlassian.com/bitbucket-data-center/kb/ssh-rsa-key-rejected-with-message-no-mutual-signature-algorithm/

Articles in this section

See more

Related articles