How do Bamboo remote agents handle SSH keys from SSH and SCP tasks

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Building or deploying plans that require ssh connections from a remote agent that has lower security restrictions than the builds/deployments that are being executed on that agent might create some concerns on exposure of private ssh keys used in SCP/SSH tasks.

Solution

Bamboo uses a Java library (net.schmizz.ssh) to establish the ssh connection without spawning a native process. This means that the SSH key is not expose on the remote agent filesystem. The key used for establishing the connection will be present only in the remote agent memory for the time of the ssh connection.

Updated on March 6, 2025
Platform
Data Center only
Product
Bamboo Data Center
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community