Cannot `git clone` Bitbucket repo on Windows: `ssh: connect to host bitbucket.org port 22: Network is unreachable`
I'm trying to clone a Bitbucket repo on a remote Windows computer, using the Git Bash terminal from Git For Windows. The remote computer is able to surf the internet in a web browser, and I am able to remotely connect into it, but the remote computer cannot git clone from Bitbucket. What could be the problem, and the appropriate fix?
Here is the error when I try to clone (connect to host bitbucket.org port 22: Network is unreachable):
$ git clone [email protected]:my_workspace/my_repo.git
Cloning into 'my_repo'...
ssh: connect to host bitbucket.org port 22: Network is unreachable
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I have already set up proper ssh keys and know this is not the problem, because on the a working Windows computer with the exact same keys (I moved them over and tested), it works fine. And, when I remove the keys from the working computer I get this totally different publickey error indicating clearly it is a key problem:
$ git clone [email protected]:my_workspace/my_repo.git
Cloning into 'my_repo'...
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I suspect the port 22: Network is unreachable issue may be a Windows firewall problem [Update: it's not: disabling the firewall entirely made no difference], but I don't know how to check it, and I don't know how to fix it. I'm open to any suggestions, including ssh tunneling if necessary to route the traffic through my working computer.
(disabling the firewall made no difference):
I have admin rights.
It could actually be blocked at the network or router level too...
I have installed the OpenSSH server for Windows on the remote machine and can ssh into the remote Windows machine of interest via Power Shell from the working Windows computer.
Both my good (working) Windows computer and my bad (nonworking) one are Windows 10 Pro.
The problem
The ssh: connect to host bitbucket.org port 22: Network is unreachable error is indicative of network traffic on port 22 being blocked. Since it's not being blocked by my Windows firewall, since I turned it off to test, then external traffic on port 22 must be getting blocked by the network admins of the remote network that my remote machine is on.
That's frustrating.
The fix: route SSH traffic to Bitbucket.org through port 443 instead
...if your network admins are blocking external traffic on port 22
Tested on Windows 10 Pro in the Git Bash terminal which comes with Git For Windows.
Late last night I Googled "bitbucket use port other than 22", and came across this really helpful answer: Super User: Which port must I ask to open to clone a git repository from bitbucket?.
By simply creating a ~/.ssh/config file which contains this:
Host bitbucket.org
HostName altssh.bitbucket.org
Port 443
HostkeyAlias bitbucket.org
...my SSH clone requests to BitBucket.org are now routed through port 443, which is open, instead of port 22, which is blocked on that network, and I can now run git clone [email protected]:my_workspace/my_repo.git and it works perfectly! It takes a little longer than normal, and at once point asked if I was sure I wanted to connect, but it works!
Big kudos to @u1686_grawity for sharing this excellent work-around.
This morning, @Jim Redmond pointed it out too.
Note that the only reason this works is because BitBucket.org has graciously decided to accept SSH connections on port 443 as well, probably to help poor folks like me on networks blocking port 22 traffic.
How to check if your network is blocking your port 22 traffic
I did a lot of research and figured out some ways to help people identify if their network firewall is the problem.
If you're on Linux Ubuntu, install nmap ("network map") and ncat (a modern reimplementation of netcat, or nc) like this:
sudo snap install nmap
sudo apt update && sudo apt install ncat
If you're on Windows, download the nmap binary installer, here: https://nmap.org/download.html. The latest version at this moment is nmap-7.94-setup.exe. This installer also includes the pcap (packet capture) tool, as well as the ncat netcat replacement tool.
Once you are armed with these tools: nmap, ncat, and a browser, you can begin your tests.
Typically:
- Port 80 is for HTTP browser traffic.
- Port 443 is for HTTPS browser traffic.
- Port 22 is for SSH traffic.
So, open a browser and navigate to https://bitbucket.org/. If that opens, then port 443 is open.
Next, let's nmap it:
In Windows, be sure to run this as an administrator. I recommend right-clicking Git Bash, which comes with Git For Windows, and going to "Run as administrator". Then run this command. It is the same on both Linux and Windows:
# map the ports on bitbucket.org to see which are open
nmap bitbucket.org
On a local Linux Ubuntu 22.04 system on an open/home fiber-optic network, I get the following. Notice that ports 22, 80, and 443 are all open:
$ nmap bitbucket.org
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-17 14:34 MST
Nmap scan report for bitbucket.org (18.205.93.0)
Host is up (0.071s latency).
Other addresses for bitbucket.org (not scanned): 18.205.93.1 18.205.93.2 2406:da00:ff00::22cd:e0db
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 6.02 seconds
On my local, working Windows 10 Pro machine which is VPNed in to a remote network, I get this (reminder: run this in a terminal as an administrator). All 3 ports are all open:
$ nmap bitbucket.org
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-17 14:36 US Mountain Standard Time
Nmap scan report for bitbucket.org (104.192.141.1)
Host is up (0.035s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 5.56 seconds
On my remote, previously-non-working Windows 10 Pro machine, I get this. Notice here that port 22 is not open! I can safely assume the managed network over there is blocking external traffic over port 22. Notice also how much slower this one is. My other two systems took ~6 seconds, but this one takes 34 seconds:
$ nmap bitbucket.org
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-17 14:36 Pacific Daylight Time
Nmap scan report for bitbucket.org (104.192.141.1)
Host is up (0.0040s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 34.45 seconds
To verify the results above, we can use ncat manually:
time ncat -zv bitbucket.org 22 # manually check port 22
time ncat -zv bitbucket.org 80 # manually check port 80
time ncat -zv bitbucket.org 443 # manually check port 443
Here are my results on the machine which has port 22 blocked. Again, notice that for ports 80 and 443 to bitbucket.org I get "Connected to...", but for port 22 I just get "TIMEOUT":
$ time ncat -zv bitbucket.org 22
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: TIMEOUT.
real 0m10.245s
user 0m0.000s
sys 0m0.046s
$ time ncat -zv bitbucket.org 80
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Connected to 104.192.141.1:80.
Ncat: 0 bytes sent, 0 bytes received in 0.20 seconds.
real 0m0.256s
user 0m0.000s
sys 0m0.015s
$ time ncat -zv bitbucket.org 443
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Connected to 104.192.141.1:443.
Ncat: 0 bytes sent, 0 bytes received in 0.18 seconds.
real 0m0.226s
user 0m0.000s
sys 0m0.015s
You should also try:
nmap github.comto check and ensure the problem isn't just bitbucket.org. When I runnmap github.comon a good machine, again, I see that ports 22, 80, and 443 are open. But, on my blocked machine, again, only ports 80 and 443 are open.- Running Wireshark to watch traffic and see how and whether or not the forwarding mechanism in
~/.ssh/configalters the SSH traffic.
References
- Where I found the solution: Super User: Which port must I ask to open to clone a git repository from bitbucket?
- Where I learned how to use
nc -zv bitbucket.org 22(on the original netcat,nc), orncat -zv bitbucket.org 22(on thencatthat comes withnmap): Super User: Ping Equivalent for SSH - Download
nmap: https://nmap.org/download.html - Lots of trial and error.
See also
Now that I know to google "Host bitbucket.org HostName altssh.bitbucket.org Port 443 HostkeyAlias bitbucket.org", I just discovered this answer after-the-fact, too: ssh: connect to host bitbucket.org port 22: Connection timed out.
Bitbucket/Atlassian's official documentation on the topic (thanks, @Jim Redmond!):
-
Summary
Some network administrators block outgoing SSH connections on port 22. If your network blocks this port, Bitbucket provides an alternate hostname and port combination you can use.
This article describes how to use the alternate ssh host:
altssh.bitbucket.org:443.. . .
Cause
A firewall rule is blocking outgoing connections over port 22.
Solution
Instead of using the normal ssh port, use
altssh.bitbucket.orgover port 443. Typically, port 443 is used for HTTPS, so administrators leave this port open for outbound web browsing. In this case, here's the URLs you can use:ssh://[email protected]:443/<Workspace>/<repo_name>/Here is a normal clone command and alternate command as an example:
git clone [email protected]:<Workspace>/<repo_name>/ # Original git clone ssh://[email protected]:443/<Workspace>/<repo_name>/ # Alternate
-
- NPM package 'bin' script for Windows
- How to remove the line coming below the top grid row of my WPF application
- How to get system root directory for Windows in Google Golang?
- Running .NET MAUI application on windows machine throwing exception from external code in Windows specific platform file
- if(process.env.NODE_ENV === 'production') always false
- How to make exe files from a node.js app?
- Tkinter, Windows: How to view window in windows task bar which has no title bar?
- How to run multiple commands via START command
- Problem of connection apache directory studio
- Can't run debugging on previously used port on IIS Express
- Pip - Fatal error in launcher: Unable to create process using '"'
- "APIENTRY _tWinMain" and "WINAPI WinMain" difference
- Winforms issue - Error creating window handle
- getApplicationDocumentsDirectory is not working on flutter desktop (windows)
- How to make for loop in windows batch file run in name order
- Node.js/Windows error: ENOENT, stat 'C:\Users\RT\AppData\Roaming\npm'
- Why does my Combo Box (WinAPI) not highlight/select its text?
- How to get the name of a Win32 Thread?
- Installation appears to be corrupt [Unsupported] - Visual Studio Code
- Ignoring directories in Git repositories on Windows
- Graphics diagnostics tools failed to install
- Run Jar file on PC at startup
- Feed key passphrase to external SSH command on Windows
- The biggest spiral submatrix program written in C doesn't return what's expected
- Possible causes of java.io.IOException: CreateProcess error=5
- What characters are forbidden in Windows and Linux directory names?
- Git Bash hangs on CTRL + I
- Installing an old version of scikit-learn
- Is there a way to pass an image to the Microsoft snipping tool, have it perform text extraction, and return that extract
- Discover missing module using command-line ("DLL load failed" error)