I have an evaluation Stash instance that has somehow gotten into a state where every user is authenticated as me, regardless of whether they have a valid public key.

I don't know enough about how Stash's SSH server works but I stumbled this page which says that the "whoami" command is available, so I created a fresh repo and logged in from a clean Linux machine:

# ssh -p 8022 git@git-server whoami
ethan

Not only does it allow me to log in (which it shouldn't), the whoami command returns my username.

This is on a completely clean machine - I picked a random Linux computer in the office and ran this command. That machine has an SSH key pair that has never been used in Stash.

Here's what led up to this problem, as far as I can tell...

This problem began when I created a repo Access Key. I then realized I'd rather have a project-level Access Key, so I deleted the repo one and added the same one as a project Access Key. All was well until I made some changes and pushed, only to realize that I shouldn't have been able to push ... but I could. This was in Stash 2.9, so I thought it might have to do with the new "Read" vs. "Read/Write" option in 2.12, so I upgraded to Stash 2.12.

In Stash 2.12, I removed the key and recreated it with explicit "Read" permissions. I could still push. So I deleted the key alltogether and I could STILL push.

I removed all keys from the offending computer and I could still push. Finally I created a fresh repo, switched to an entirely different client computer, and the problem still occurs. Basically my whole GIT server is currently world-writable (within my LAN, at least) due to this problem.

Can I get any help debugging this issue?