How to specify both a Bitbucket repository key and a user key such that the repository key is read-only and the user key provides push capability?

Question

Bitbucket provides for setting up a key on a repository for read-only access. Without debating the merits of the following methodology, I want to use this feature in order to git pull to deploy changes to websites (as user root), but I also want to provide for a non-root user to very occasionally be able to push to the repo from the web server using their own key. I've assigned root's default id_rsa.pub key as the Bitbucket repository key, and the pull (read-only) functionality is working when signed in as root. However, I get an error when trying to push from a specific user. The error is:

Load key "/home/user1/.ssh/bitbucket": Permission denied
git@bitbucket.org: Permission denied (publickey).
fatal: Could not read from remote repository.

I am issuing the git push as user1, so I don't understand why it's giving a Permission denied error when trying to load the key. Why can't user1 load and use his own key? The private part of both keys mentioned below has permissions set to 600, and the public part has permissions set to 644.

The setup:

• Ubuntu 20.04
• Two users: root and user1
• root's id_rsa.pub key added to the Bitbucket repository's Access Keys
• user1's key for accessing Bitbucket (named bitbucket.pub) added to the user's SSH Keys in BitBucket

A config file in /root/.ssh/ with the following:

Host bitbucket.org
    HostName bitbucket.org
    IdentityFile /root/.ssh/id_rsa
    IdentitiesOnly yes

A config file in /home/user1/.ssh/ with the following:

Host bitbucket.org
    HostName bitbucket.org
    User git_user1
    IdentityFile /home/user1/.ssh/bitbucket
    IdentitiesOnly yes

git remote -v shows:

• origin git@bitbucket.org:our_bitbucket_organization/website-name.git (fetch)
• origin git@bitbucket.org:our_bitbucket_organization/website-name.git (push)

user1 can push to the repo fine from their development server - the user is a user in the organization and so is a user on the repo. I have also tried commenting out the User line in user1's config file but get the same error.

I've also studied this question (and especially this answer) but can't find anything in there that quite addresses this error. I want to have two separate config files, not a single config file.

Any suggestions are greatly appreciated.

Answer 1

Load key "/home/user1/.ssh/bitbucket": Permission denied

The error means the file is not readable by user1. To fix:

chown -R user1 /home/user1/.ssh
chmod -R u=rwX,go= /home/user1/.ssh

PS. This is more generic than just a fix for one file. Just in case.