Use SSH primal authentication

  • Commodity
  • fourteen minutes to read

Azure DevOps Services | Azure DevOps Server 2020 | Azure DevOps Server 2019 | TFS 2018

Connect to your Git repos through SSH on macOS, Linux, or Windows to securely connect using HTTPS authentication. On Windows, we recommended the use of Git Credential Director or Personal Access Tokens.

Important

SSH URLs take inverse, just sometime SSH URLs will proceed to piece of work. If you have already set up upward SSH, yous should update your remote URLs to the new format:

  • Verify which remotes are using SSH past running git remote -v in your Git client.
  • Visit your repository on the web and select the Clone button in the upper right.
  • Select SSH and copy the new SSH URL.
  • In your Git client, run: git remote set up-url <remote name, eastward.k. origin> <new SSH URL>. Alternatively, in Visual Studio, go to Repository Settings, and edit your remotes.

Note

Every bit of Visual Studio 2017, SSH can be used to connect to Azure DevOps Git repos.

How SSH key authentication works

SSH public fundamental hallmark works with an disproportionate pair of generated encryption keys. The public central is shared with Azure DevOps and used to verify the initial ssh connexion. The private key is kept rubber and secure on your arrangement.

Fix SSH key authentication

The following steps cover configuration of SSH key hallmark on the following platforms:

  • Linux
  • macOS running at least Leopard (ten.5)
  • Windows systems running Git for Windows

Configure SSH using the command line. fustigate is the common shell on Linux and macOS and the Git for Windows installation adds a shortcut to Git Bash in the Start carte du jour. Other trounce environments will work, simply are not covered in this commodity.

Step 1: Create your SSH keys

Annotation

If you have already created SSH keys on your arrangement, skip this step and get to configuring SSH keys.

The commands here will let you create new default SSH keys, overwriting existing default keys. Earlier continuing, check your ~/.ssh binder (for example, /home/jamal/.ssh or C:\Users\jamal\.ssh) and wait for the following files:

  • id_rsa
  • id_rsa.pub

If these files exist, then yous have already created SSH keys. Y'all tin overwrite the keys with the post-obit commands, or skip this pace and go to configuring SSH keys to reuse these keys.

Create your SSH keys with the ssh-keygen control from the fustigate prompt. This command will create a 3072-bit RSA key for apply with SSH. You tin give a passphrase for your private key when prompted—this passphrase provides another layer of security for your private key. If y'all give a passphrase, be certain to configure the SSH agent to cache your passphrase so you don't have to enter it every time you connect.

              $ ssh-keygen -C "jamal@fabrikam.com" Generating public/private rsa key pair. Enter file in which to salvage the key (/c/Users/jamal/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase once more: Your identification has been saved in /c/Users/jamal/.ssh/id_rsa. Your public key has been saved in /c/Users/jamal/.ssh/id_rsa.pub. The key fingerprint is: SHA256:******************************************* jamal@fabrikam.com The key'south randomart image is: +---[RSA 3072]----+ |+.   +yX*o .     | |... ..Due east+*=o      | |  ..o.=E=.o      | |   . * =.o .     | |    . S o o..    | |       + .oo     | |        S+.  .   | |        ..+.+    | |          o*..   | +----[SHA256]-----+

This control produces the two keys needed for SSH authentication: your private central ( id_rsa ) and the public central ( id_rsa.pub ). It is important to never share the contents of your private key. If the private cardinal is compromised, attackers can apply it to flim-flam servers into thinking the connection is coming from you.

Footstep 2: Add the public key to Azure DevOps Services/TFS

Associate the public key generated in the previous step with your user ID.

  1. Open your security settings by browsing to the web portal and selecting your avatar in the upper right of the user interface. Select SSH public keys in the menu that appears.

    Screenshot that shows the SSH public keys menu item and the user avatar selected in Azure DevOps Services.

  2. Select + New Key.

    Accessing Security Configuration in Azure DevOps Services

  3. Copy the contents of the public primal (for case, id_rsa.pub) that you generated into the Public Fundamental Data field.

    Important

    Avert adding whitespace or new lines into the Key Data field, as they can crusade Azure DevOps Services to apply an invalid public key. When pasting in the key, a newline often is added at the finish. Be sure to remove this newline if it occurs.

    Configuring Public Key in Azure DevOps Services

  4. Give the key a useful clarification (this description volition be displayed on the SSH public keys folio for your profile) so that y'all can remember it later. Select Save to shop the public central. Once saved, y'all cannot change the key. You lot can delete the primal or create a new entry for another key. At that place are no restrictions on how many keys you can add to your user profile. Also note that SSH keys stored in Azure DevOps expire after v years. If your cardinal expires, you may upload a new key or the same one to continue accessing Azure DevOps via SSH.

  5. Examination the connection by running the following control: ssh -T git@ssh.dev.azure.com. If everything is working correctly, you'll receive a response which says: remote: Trounce access is not supported. If not, see the section on Questions and troubleshooting.

Stride 2: Add the public primal to Azure DevOps

Associate the public key generated in the previous footstep with your user ID.

  1. Open up your security settings by browsing to the web portal and selecting your avatar in the upper right of the user interface. Select Security in the card that appears.

    Accessing User Profile in Azure DevOps Services

  2. Select + New Key.

    Accessing Security Configuration in Azure DevOps Services

  3. Copy the contents of the public key (for example, id_rsa.pub) that you generated into the Public Primal Data field.

    Of import

    Avert adding whitespace or new lines into the Key Data field, as they can cause Azure DevOps Services to apply an invalid public key. When pasting in the key, a newline ofttimes is added at the end. Be sure to remove this newline if information technology occurs.

    Configuring Public Key in Azure DevOps Services

  4. Requite the key a useful description (this description will be displayed on the SSH public keys page for your profile) so that y'all can think it later on. Select Relieve to shop the public key. Once saved, you cannot modify the key. You tin can delete the key or create a new entry for another primal. There are no restrictions on how many keys you tin can add to your user profile.

  5. Examination the connection by running the post-obit control: ssh -T git@ssh.dev.azure.com. If everything is working correctly, yous'll receive a response which says: remote: Shell access is not supported. If not, see the section on Questions and troubleshooting.

Step 3: Clone the Git repository with SSH

  1. Copy the SSH clone URL from the web portal. In this example, the SSL clone URL is for a repo in an arrangement named fabrikam-cobweb, as indicated by the first part of the URL after dev.azure.com.

    Azure Repos SSH Clone URL

  2. Run git clone from the command prompt.

                      git clone git@ssh.dev.azure.com:v3/fabrikam-fiber/FabrikamFiber/FabrikamFiber

SSH may display the server'due south SSH fingerprint and ask you to verify information technology. Y'all should verify that the displayed fingerprint matches ane of the fingerprints in the SSH public keys page.

SSH displays this fingerprint when it connects to an unknown host to protect you lot from human-in-the-middle attacks. Once yous take the host's fingerprint, SSH will not prompt you lot again unless the fingerprint changes.

              $ git clone git@ssh.dev.azure.com:v3/fabrikam-fiber/FabrikamFiber/FabrikamFiber Cloning into 'FabrikamFiber'... The authenticity of host 'ssh.dev.azure.com (65.52.8.37)' can't be established. RSA key fingerprint is SHA256:******************************************** Are yous sure you want to continue connecting (yeah/no)? yes Alert: Permanently added 'ssh.dev.azure.com,65.52.8.37' (RSA) to the list of known hosts. Enter passphrase for key '/c/Users/jamal/.ssh/id_rsa': remote: Azure Repos remote: Found 127 objects to transport. (50 ms) Receiving objects: 100% (127/127), 56.67 KiB | 2.58 MiB/south, done. Resolving deltas: 100% (15/15), done.

When yous are asked if you desire to continue connecting, blazon aye. Git will clone the repo and ready the origin remote to connect with SSH for future Git commands.

Tip

To prevent problems, Windows users should run a command to have Git reuse their SSH key passphrase.

Questions and troubleshooting

Q: Later on running git clone, I get the following error. What should I practice?

              Host key verification failed.  fatal: Could not read from remote repository.

A: Manually record the SSH primal past running: ssh-keyscan -t rsa domain.com >> ~/.ssh/known_hosts

Q: How can I have Git recall the passphrase for my primal on Windows?

A: Run the post-obit command included in Git for Windows to outset up the ssh-agent process in PowerShell or the Windows Control Prompt. ssh-agent will cache your passphrase and so you don't have to provide information technology every time y'all connect to your repo.

              commencement-ssh-agent.cmd

If you're using the Bash vanquish (including Git Bash), start ssh-amanuensis with:

              eval `ssh-agent`

Q: I use PuTTY as my SSH customer and generated my keys with PuTTYgen. Tin I employ these keys with Azure DevOps Services?

A: Yes. Load the private cardinal with PuTTYgen, go to Conversions carte du jour and select Consign OpenSSH cardinal. Save the individual key file and and then follow the steps to set up non-default keys. Copy your public cardinal directly from the PuTTYgen window and paste into the Central Data field in your security settings.

Q: How can I verify that the public primal I uploaded is the same fundamental as I have locally?

A: You tin verify the fingerprint of the public cardinal uploaded with the one displayed in your profile through the following ssh-keygen control run against your public key using the bash command line. Y'all will need to alter the path and the public key filename if you are not using the defaults.

              ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub

You can then compare the MD5 signature to the one in your profile. This check is useful if you have connection problems or have concerns about incorrectly pasting in the public key into the Key Data field when adding the key to Azure DevOps Services.

Q: How can I start using SSH in a repository where I am currently using HTTPS?

A: You lot'll demand to update the origin remote in Git to change over from a HTTPS to SSH URL. One time you lot have the SSH clone URL, run the following command:

              git remote set-url origin git@ssh.dev.azure.com:v3/fabrikam-fiber/FabrikamFiber/FabrikamFiber

You can at present run any Git control that connects to origin.

Q: I'm using Git LFS with Azure DevOps Services and I become errors when pulling files tracked by Git LFS.

A: Azure DevOps Services currently doesn't support LFS over SSH. Use HTTPS to connect to repos with Git LFS tracked files.

Q: How tin I use a non-default key location, i.due east. not ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub?

A: To use keys created with ssh-keygen in a different identify than the default, perform these two tasks:

  1. The keys must be in a folder that only yous can read or edit. If the folder has wider permissions, SSH will not use the keys.
  2. Yous must allow SSH know the location of the keys. Yous brand SSH enlightened of keys through the ssh-add command, providing the full path to the individual central.
              ssh-add together /dwelling/jamal/.ssh/id_jamal.rsa

On Windows, before running ssh-add, yous will demand to run the post-obit command from included in Git for Windows:

              commencement-ssh-amanuensis.cmd

This command runs in both PowerShell and the Command Prompt. If you are using Git Bash, the command yous demand to employ is:

              eval `ssh-amanuensis`

You can find ssh-add as part of the Git for Windows distribution and as well run it in whatsoever shell environs on Windows.

On macOS and Linux you also must accept ssh-amanuensis running before running ssh-add, only the command environment on these platforms usually takes care of starting ssh-agent for you.

Q: I accept multiple SSH keys. How practice I use different SSH keys for dissimilar SSH servers or repos?

A: Generally, if yous configure multiple keys for an SSH client and connect to an SSH server, the client can try the keys one at a time until the server accepts ane.

Nonetheless, this doesn't work with Azure DevOps for technical reasons related to the SSH protocol and how our Git SSH URLs are structured. Azure DevOps will blindly accept the first key that the client provides during authentication. If that key is invalid for the requested repo, the asking will fail with the following error:

                remote: Public cardinal hallmark failed. fatal: Could non read from remote repository.

For Azure DevOps, y'all'll need to configure SSH to explicitly use a specific key file. I style to practice this to edit your ~/.ssh/config file (for instance, /domicile/jamal/.ssh or C:\Users\jamal\.ssh) every bit follows:

                # The settings in each Host section are applied to whatsoever Git SSH remote URL with a # matching hostname. # By and large: # * SSH uses the first matching line for each parameter name, east.g. if at that place's #   multiple values for a parameter across multiple matching Host sections # * "IdentitiesOnly yes" prevents keys cached in ssh-agent from being tried before #   the IdentityFile values nosotros explicitly fix. # * On Windows, ~/.ssh/your_private_key maps to %USERPROFILE%\.ssh\your_private_key, #   e.grand. C:\Users\<username>\.ssh\your_private_key.  # Most mutual scenario: to utilise the same cardinal across all hosted Azure DevOps # organizations, add a Host entry like this: Host ssh.dev.azure.com   IdentityFile ~/.ssh/your_private_key   IdentitiesOnly yes  # This model volition as well work if you however use the older SSH URLs with a # hostname of vs-ssh.visualstudio.com: Host vs-ssh.visualstudio.com   IdentityFile ~/.ssh/your_private_key   IdentitiesOnly yes  # Less common scenario: if you need dissimilar keys for unlike organizations, # y'all'll need to use host aliases to create dissever Host sections. # This is because all hosted Azure DevOps URLs have the same hostname # (ssh.dev.azure.com), then SSH has no way to distinguish them by default. # # Imagine that we have the following two SSH URLs: # * git@ssh.dev.azure.com:v3/Fabrikam/Project1/fab_repo #   * For this, we want to use `fabrikamkey`, then nosotros'll create `devops_fabrikam` every bit #     a Host alias and tell SSH to use `fabrikamkey`. # * git@ssh.dev.azure.com:v3/Contoso/Project2/con_repo #   * For this, nosotros want to use `contosokey`, and then we'll create `devops_contoso` as #     a Host alias and tell SSH to employ `contosokey`. # # To set up explicit keys for the two host aliases and to tell SSH to utilize the correct # actual hostname, add the next two Host sections: Host devops_fabrikam   HostName ssh.dev.azure.com   IdentityFile ~/.ssh/private_key_for_fabrikam   IdentitiesOnly aye Host devops_contoso   HostName ssh.dev.azure.com   IdentityFile ~/.ssh/private_key_for_contoso   IdentitiesOnly yes # # So, instead of using the real URLs, tell Git you want to use these URLs: # * git@devops_fabrikam:v3/Fabrikam/Project1/fab_repo # * git@devops_contoso:v3/Contoso/Project2/con_repo #  # At the end of the file, y'all can put global defaults for other SSH hosts yous # may connect to.  Note that "*" also matches any hosts that match the sections # above, and remember that SSH uses the kickoff matching line for each parameter proper name. Host *                              
                # The settings in each Host section are applied to any Git SSH remote URL with a # matching hostname. # More often than not: # * SSH uses the first matching line for each parameter name, e.1000. if in that location'south #   multiple values for a parameter across multiple matching Host sections # * "IdentitiesOnly yes" prevents keys cached in ssh-amanuensis from beingness tried before #   the IdentityFile values we explicitly set. # * On Windows, ~/.ssh/your_private_key maps to %USERPROFILE%\.ssh\your_private_key, #   e.chiliad. C:\Users\<username>\.ssh\your_private_key.  # Say your on-premises Azure DevOps Server instance has SSH URLs like this: #   ssh://someHost:22/someCollection/some_project/_git/some_repo # Add together the following Host section: Host someHost   IdentityFile ~/.ssh/your_private_key   IdentitiesOnly yes  # At the terminate of the file, you tin put global defaults for other SSH hosts you # may connect to.  Notation that "*" also matches whatsoever hosts that match the sections # above, and remember that SSH uses the first matching line for each parameter proper name. Host *

Q: How practice I fix errors that mention "no matching fundamental exchange method institute"?

A: Git for Windows ii.25.one shipped with a new version of OpenSSH which removed some key exchange protocols past default. Specifically, diffie-hellman-group14-sha1 has been identified equally problematic for some Azure DevOps Server and TFS customers. You tin can work around the problem by adding the post-obit to your SSH configuration (~/.ssh/config):

                Host <your-azure-devops-host>     KexAlgorithms +diffie-hellman-group14-sha1

Replace <your-azure-devops-host> with the hostname of your Azure DevOps or TFS server, like tfs.mycompany.com.

Q: What notifications may I receive about my SSH keys?

A: Whenever y'all register a new SSH Key with Azure DevOps Services, y'all volition receive an email notification informing you that a new SSH key has been added to your account.

SSH notification example

Q: What do I exercise if I believe that someone other than me is adding SSH keys on my account?

A: If you lot receive a notification of an SSH key being registered and you did not manually upload it to the service, your credentials may accept been compromised.

The side by side step would exist to investigate whether or not your password has been compromised. Irresolute your countersign is ever a good starting time step to defend confronting this attack vector. If you're an Azure Agile Directory user, talk with your ambassador to bank check if your account was used from an unknown source/location.

Q: What do I do if I'thou still prompted for my countersign and GIT_SSH_COMMAND="ssh -v" git fetch shows no mutual signature algorithm?

A: Some Linux distributions, such every bit Fedora Linux, accept crypto policies that crave stronger SSH signature algorithms than Azure DevOps supports (as of Jan 2021). In that location's an open characteristic request to add this support.

You can work around the issue by adding the following code to your SSH configuration (~/.ssh/config):

              Host ssh.dev.azure.com   PubkeyAcceptedKeyTypes=ssh-rsa

Replace ssh.dev.azure.com with the correct host name if you use Azure DevOps Server.