is changing git remote url from https to ssh safe?

Question

I have been using the HTTPS method for my bitbucket project, but since bitbucket requires app password on march 1 2022, I added the app password for my project but now I keep getting asked for username and password everytime I do something with git (e.g. git pull).. the atlassian documentation says that if I change the url into SSH, I won't be asked for password anymore.

git remote set-url origin git@bitbucket.org:tutorials/tutorials.git

but when I tried to change it into SSH, there was a warning like this:

The authenticity of host 'bitbucket.org (ip address)' can't be established.
RSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxx.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?

after I read some articles on the internet, it says that that was a safety feature provided by git and we shouldn't mess with it. is it still unsafe to do this? isn't this method going to ask the app password which can only be seen once by the account holder?

Answer 1

This warning comes from your SSH client and is strictly speaking unrelated to Git and BitBucket. Git just uses SSH as a transport protocol and delegates authentication to the SSH client and server.

Your SSH client will always present you this message whenever you try to establish a connection to a SSH server for the first time. In this case your BitBucket host runs the SSH server. It just means, that your client doesn't know the server yet, so it asks you to verify the server's key fingerprint to make sure that you are connecting to the legit server. The reason for this is to prevent so called man in the middle attacks where someone could intercept the connection and pretend to be the server you actually want to connect to.

So it's not something to worry about. Just compare the fingerprints and continue. If you use the BitBucket service by Atlassian, you can find the fingerprint in their docs.