Cannot `git clone` Bitbucket repo on Windows: `ssh: connect to host bitbucket.org port 22: Network is unreachable`

Question

I'm trying to clone a Bitbucket repo on a remote Windows computer, using the Git Bash terminal from Git For Windows. The remote computer is able to surf the internet in a web browser, and I am able to remotely connect into it, but the remote computer cannot git clone from Bitbucket. What could be the problem, and the appropriate fix?

Here is the error when I try to clone (connect to host bitbucket.org port 22: Network is unreachable):

$ git clone git@bitbucket.org:my_workspace/my_repo.git
Cloning into 'my_repo'...
ssh: connect to host bitbucket.org port 22: Network is unreachable
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I have already set up proper ssh keys and know this is not the problem, because on the a working Windows computer with the exact same keys (I moved them over and tested), it works fine. And, when I remove the keys from the working computer I get this totally different publickey error indicating clearly it is a key problem:

$ git clone git@bitbucket.org:my_workspace/my_repo.git
Cloning into 'my_repo'...
git@bitbucket.org: Permission denied (publickey). 
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I suspect the port 22: Network is unreachable issue may be a Windows firewall problem [Update: it's not: disabling the firewall entirely made no difference], but I don't know how to check it, and I don't know how to fix it. I'm open to any suggestions, including ssh tunneling if necessary to route the traffic through my working computer.

(disabling the firewall made no difference):

I have admin rights.

It could actually be blocked at the network or router level too...

I have installed the OpenSSH server for Windows on the remote machine and can ssh into the remote Windows machine of interest via Power Shell from the working Windows computer.

Both my good (working) Windows computer and my bad (nonworking) one are Windows 10 Pro.

Answer 1

1. First try to clone any public repository.
2. If you are able to clone any public repository than you have an issue with SSH key, you may need regenerate the SSH key and update it to bitbucket.
3. If you facing same error for public repository than there may be firewall issue, try to disable firewall temporary and try. Here is the process to disable firewall in windows https://www.linksys.com/be/support-article/?articleNum=143654. Possibly it will resolve your problem.

Answer 2

"Network is unreachable" could mean that either there's something blocking all traffic from that system to Bitbucket, or that there's something blocking bitbucket.org:22 specifically. I suspect it's just port 22, but you can confirm by visiting bitbucket.org from a browser on that system.

Bitbucket maintains a separate hostname, altssh.bitbucket.org, that listens for SSH traffic on port 443 (normally for HTTPS). You should be able to clone with git clone ssh://git@altssh.bitbucket.org:443/owner/repo (note that this format has a slash between git@altssh.bitbucket.org:443 and the owner/repo piece); that sets origin appropriately, so future pulls and pushes from that system will use the correct hostname and port.

Answer 3

The problem

The ssh: connect to host bitbucket.org port 22: Network is unreachable error is indicative of network traffic on port 22 being blocked. Since it's not being blocked by my Windows firewall, since I turned it off to test, then external traffic on port 22 must be getting blocked by the network admins of the remote network that my remote machine is on.

That's frustrating.

The fix: route SSH traffic to Bitbucket.org through port 443 instead

...if your network admins are blocking external traffic on port 22

Tested on Windows 10 Pro in the Git Bash terminal which comes with Git For Windows.

Late last night I Googled "bitbucket use port other than 22", and came across this really helpful answer: Super User: Which port must I ask to open to clone a git repository from bitbucket?.

By simply creating a ~/.ssh/config file which contains this:

Host bitbucket.org
    HostName altssh.bitbucket.org
    Port 443
    HostkeyAlias bitbucket.org

...my SSH clone requests to BitBucket.org are now routed through port 443, which is open, instead of port 22, which is blocked on that network, and I can now run git clone git@bitbucket.org:my_workspace/my_repo.git and it works perfectly! It takes a little longer than normal, and at once point asked if I was sure I wanted to connect, but it works!

Big kudos to @u1686_grawity for sharing this excellent work-around.

This morning, @Jim Redmond pointed it out too.

Note that the only reason this works is because BitBucket.org has graciously decided to accept SSH connections on port 443 as well, probably to help poor folks like me on networks blocking port 22 traffic.

How to check if your network is blocking your port 22 traffic

I did a lot of research and figured out some ways to help people identify if their network firewall is the problem.

If you're on Linux Ubuntu, install nmap ("network map") and ncat (a modern reimplementation of netcat, or nc) like this:

sudo snap install nmap
sudo apt update && sudo apt install ncat

If you're on Windows, download the nmap binary installer, here: https://nmap.org/download.html. The latest version at this moment is nmap-7.94-setup.exe. This installer also includes the pcap (packet capture) tool, as well as the ncat netcat replacement tool.

Once you are armed with these tools: nmap, ncat, and a browser, you can begin your tests.

Typically:

• Port 80 is for HTTP browser traffic.
• Port 443 is for HTTPS browser traffic.
• Port 22 is for SSH traffic.

So, open a browser and navigate to https://bitbucket.org/. If that opens, then port 443 is open.

Next, let's nmap it:

In Windows, be sure to run this as an administrator. I recommend right-clicking Git Bash, which comes with Git For Windows, and going to "Run as administrator". Then run this command. It is the same on both Linux and Windows:

# map the ports on bitbucket.org to see which are open
nmap bitbucket.org

On a local Linux Ubuntu 22.04 system on an open/home fiber-optic network, I get the following. Notice that ports 22, 80, and 443 are all open:

$ nmap bitbucket.org
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-17 14:34 MST
Nmap scan report for bitbucket.org (18.205.93.0)
Host is up (0.071s latency).
Other addresses for bitbucket.org (not scanned): 18.205.93.1 18.205.93.2 2406:da00:ff00::22cd:e0db
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 6.02 seconds

On my local, working Windows 10 Pro machine which is VPNed in to a remote network, I get this (reminder: run this in a terminal as an administrator). All 3 ports are all open:

$ nmap bitbucket.org
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-17 14:36 US Mountain Standard Time
Nmap scan report for bitbucket.org (104.192.141.1)
Host is up (0.035s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 5.56 seconds

On my remote, previously-non-working Windows 10 Pro machine, I get this. Notice here that port 22 is not open! I can safely assume the managed network over there is blocking external traffic over port 22. Notice also how much slower this one is. My other two systems took ~6 seconds, but this one takes 34 seconds:

$ nmap bitbucket.org
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-17 14:36 Pacific Daylight Time
Nmap scan report for bitbucket.org (104.192.141.1)
Host is up (0.0040s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 34.45 seconds

To verify the results above, we can use ncat manually:

time ncat -zv bitbucket.org 22   # manually check port 22
time ncat -zv bitbucket.org 80   # manually check port 80
time ncat -zv bitbucket.org 443  # manually check port 443

Here are my results on the machine which has port 22 blocked. Again, notice that for ports 80 and 443 to bitbucket.org I get "Connected to...", but for port 22 I just get "TIMEOUT":

$ time ncat -zv bitbucket.org 22
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: TIMEOUT.

real    0m10.245s
user    0m0.000s
sys     0m0.046s

$ time ncat -zv bitbucket.org 80
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Connected to 104.192.141.1:80.
Ncat: 0 bytes sent, 0 bytes received in 0.20 seconds.

real    0m0.256s
user    0m0.000s
sys     0m0.015s

$ time ncat -zv bitbucket.org 443
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Connected to 104.192.141.1:443.
Ncat: 0 bytes sent, 0 bytes received in 0.18 seconds.

real    0m0.226s
user    0m0.000s
sys     0m0.015s

You should also try:

1. nmap github.com to check and ensure the problem isn't just bitbucket.org. When I run nmap github.com on a good machine, again, I see that ports 22, 80, and 443 are open. But, on my blocked machine, again, only ports 80 and 443 are open.
2. Running Wireshark to watch traffic and see how and whether or not the forwarding mechanism in ~/.ssh/config alters the SSH traffic.

References

1. Where I found the solution: Super User: Which port must I ask to open to clone a git repository from bitbucket?
2. Where I learned how to use nc -zv bitbucket.org 22 (on the original netcat, nc), or ncat -zv bitbucket.org 22 (on the ncat that comes with nmap): Super User: Ping Equivalent for SSH
3. Download nmap: https://nmap.org/download.html
4. Lots of trial and error.

See also

1. Now that I know to google "Host bitbucket.org HostName altssh.bitbucket.org Port 443 HostkeyAlias bitbucket.org", I just discovered this answer after-the-fact, too: ssh: connect to host bitbucket.org port 22: Connection timed out.

2. Bitbucket/Atlassian's official documentation on the topic (thanks, @Jim Redmond!):

   1. Atlassian Support / Bitbucket Cloud Knowledge Base / Troubleshooting SSH issues: Port 22 is blocked on local network:

      Summary

      Some network administrators block outgoing SSH connections on port 22. If your network blocks this port, Bitbucket provides an alternate hostname and port combination you can use.

      This article describes how to use the alternate ssh host: altssh.bitbucket.org:443.

      . . .

      Cause

      A firewall rule is blocking outgoing connections over port 22.

      Solution

      Instead of using the normal ssh port, use altssh.bitbucket.org over port 443. Typically, port 443 is used for HTTPS, so administrators leave this port open for outbound web browsing. In this case, here's the URLs you can use:

      ssh://git@altssh.bitbucket.org:443/<Workspace>/<repo_name>/ 
      

      Here is a normal clone command and alternate command as an example:

      git clone git@bitbucket.org:<Workspace>/<repo_name>/ # Original
      git clone ssh://git@altssh.bitbucket.org:443/<Workspace>/<repo_name>/  # Alternate
      

   2. https://bitbucket.org/blog/author/jredmond