Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to restrict bitbucket server to user+IP

Javier Perez
Javier Perez
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 10, 2016

Use case: We have developers in training at our office. They need access to source code so  we'll assign them a PC from which they can pull/push from/to bitbucket server. For security reasons this PC is the only one they can use to work with the source code

Issue: These developers can still go to a different PC and access the source code from bitbucket, since their credentials allow access, as needed per the use case

Question 1: Is there a way we can restrict bitbucket access (both push and pull) for a userid+IP combination: in this way these developers would be able to access the code because they're allowed to (user restriction) but only from the restricted PC (adding IP to authorization)

Question 2: Any other was we can solve the issue in the use case

 

Answer
Watch
Like pnik073 likes this
2833 views

1 answer

1 accepted

0 votes
Answer accepted
Adam
Adam
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 10, 2016

There's nothing in Bitbucket itself to help with this out of the box, but I can think of a few options:

- download the Atlassian Supported SAML add-on, and only let them log in through SAML (don't let them know what their internal password is).

- Use a third-party add-on like Kerberos to handle it

- write a plugin that implements a <servlet-filter> to reject access to certain users from certain IPs on each request. You might have to do something special for SSH - not sure. Maybe an AuthenticationHandler would work too. E.g. an AuthenticationSuccessHandler might be able to log them out if their IP is bad? 

Best of luck!

Adam

View More Comments
Javier Perez
Javier Perez
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 10, 2016

Thanks Adam.

  • About  authentication tools, we use crowd. Is Atlassian crowd able help here, do you know?
  • About AuthebticationSuccessHandler, could you provide an example of implementation?
Like
Adam
Adam
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 10, 2016

I'm not sure if there's anything in Crowd that would help, sorry. https://developer.atlassian.com/static/javadoc/bitbucket-server/4.11.0/spi/reference/com/atlassian/bitbucket/auth/SshAuthenticationSuccessHandler.html is something I think you could use. You can pull the user out of the context (https://developer.atlassian.com/static/javadoc/bitbucket-server/4.11.0/spi/reference/com/atlassian/bitbucket/auth/SshAuthenticationSuccessContext.html) and then look up the approved IPs for that user. If they don't match, you log them out. I think that might work? But actually I'm no expert on this and could be completely wrong.

Another option might be to look at com.atlassian.bitbucket.internal.ssh.server.DefaultSshAuthenticationHandler in the source code (you can download this if you've purchased a license), and preempt it with an SshAuthenticationHandler of your own that does the same thing, but also checks for IPs before succeeding (and explicitly fails/throws if the IP doesn't match so that the DefaultSshAuthenticationHandler doesn't get a chance to try).

Sorry I can't give you more detailed help - I'm not the best person to be answering this question, I just thought I'd tell you what I know.

Like
Javier Perez
Javier Perez
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 14, 2016

Thanks Adam. It's not resolving my issue, but it's the best lead I have.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.