Azure DevOps Services | Azure DevOps Server | Azure DevOps Server 2022 | Azure DevOps Server 2020

You can connect to your Git repos through SSH on macOS, Linux, or Windows to securely connect with Azure DevOps.

Prerequisites

How SSH key authentication works

SSH public key authentication works with an asymmetric pair of generated encryption keys. Thepublic key is shared with Azure DevOps and used to verify the initial ssh connection. Theprivate key is kept safe and secure on your system.

Set up SSH key authentication

The following steps cover configuration of SSH key authentication on the following platforms using the command line (also calledshell):

• Linux
• macOS
• Windows systems runningGit for Windows

Step 1: Create your SSH keys

To use key-based authentication, you first need to generate public/private key pairs for your client.ssh-keygen.exe is used to generate key files and the algorithms DSA, RSA, ECDSA, or Ed25519 can be specified. If no algorithm is specified, Ed25519 is used.

To generate key files using the RSA algorithm supported by Azure DevOps (either RSA-SHA2-256 or RSA-SHA2-512), run one of the following commands from a PowerShell or another shell such asbash on your client:

ssh-keygen -t rsa-sha2-256

Or

ssh-keygen -t rsa-sha2-512

The output from the command should display the following output (whereusername is your username):

Generating public/private rsa key pair.Enter file in which to save the key (C:\Users\username/.ssh/id_rsa):

You can press Enter to accept the default, or specify a path and/or filename where you would like your keys to be generated.At this point, you're prompted to use a passphrase to encrypt your private key files. The passphrase can be empty but not recommended.The passphrase works with the key file to provide two-factor authentication.

Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in C:\Users\username/.ssh/id_rsa.Your public key has been saved in C:\Users\username/.ssh/id_rsa.pub.The key fingerprint is:SHA256:FHK6WjcUkcfQjdorarzlak1Ob/x7AmqQmmx5ryYYV+8 username@LOCAL-HOSTNAMEThe key's randomart image is:+---[RSA 3072]----+|      . ** o     ||       +.o= .    ||      . o+       ||      .+. .      ||     .ooS  .     ||  . .oo.=.o      ||   =.= O.= .     ||  . B BoE + . .  ||   . *+*o. .o+   |+----[SHA256]-----+

Now you have a public/private RSA key pair in the location specified. The .pub files are public keys, and files without an extension are private keys:

Mode                 LastWriteTime         Length Name----                 -------------         ------ -----a----        10/11/2022   6:29 PM           2610 id_rsa-a----        10/11/2022   6:29 PM            578 id_rsa.pub

Step 2: Add the public key to Azure DevOps

Associate the public key generated in the previous step with your user ID.

1. Open your security settings by browsing to the web portal and selecting the icon next to the avatar in the upper right of the user interface. SelectSSH public keys in the menu that appears.

   

2. Select+ New Key.

   

3. Copy the contents of the public key (for example,id_rsa.pub) that you generated into thePublic Key Data field.

   Important

   Avoid adding whitespace or new lines into theKey Data field, as they can cause Azure DevOps to use an invalid public key. When pasting in the key, a newline often is added at the end. Be sure to remove this newline if it occurs.

   

4. Give the key a useful description (this description is displayed on theSSH public keys page for your profile) so that you can remember it later. SelectSave to store the public key.Once saved, you can't change the key. You can delete the key or create a new entry for another key. There are no restrictions on how many keys you can add to your user profile.

   Note

   SSH keys stored in Azure DevOps expire after one year, unless the organization level policy has been set. For more information, seeChange application connection & security policies for your organization.

5. On theSSH Public Keys overview page, the server fingerprints are displayed. Make note of the SHA256 fingerprint to use when you first connect to Azure DevOps via SSH.

   

6. Test the connection by running the following command:

   ssh -T git@ssh.dev.azure.com

   If you're connecting for the first time, you should receive the following output:

   The authenticity of host 'ssh.dev.azure.com (<IP>)' can't be established.RSA key fingerprint is SHA256:ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])?

   Compare the fingerprint with the SHA256 fingerprint displayed on the previously mentionsSSH Public Keys page.Proceed only if they match!

7. Enteryes to continue. If everything is configured correctly, the output should look like this:

    Warning: Permanently added 'ssh.dev.azure.com' (RSA) to the list of known hosts. remote: Shell access is not supported. shell request failed on channel 0

   If not, see the section onQuestions and troubleshooting.

Step 3: Clone the Git repository with SSH

1. Copy the SSH clone URL from the web portal. In this example, the SSH clone URL is for a repo in an organization namedfabrikam-fiber, as indicated by the first part of the URL afterdev.azure.com.

   

   Note

   With Azure DevOps Services, the format for the project URL isdev.azure.com/{your organization}/{your project}. However, the previous format that references thevisualstudio.com format is still supported. For more information, seeIntroducing Azure DevOps, Switch existing organizations to use the new domain name URL.

2. Rungit clone from the command prompt.

   git clone git@ssh.dev.azure.com:v3/fabrikam-fiber/FabrikamFiber/FabrikamFiber

   If you aren't using an SSH Agent, you're prompted to enter your passphrase:

   Cloning into 'FabrikamFiber'...Enter passphrase for key '/c/Users/username/.ssh/id_rsa':remote: Azure Reposremote: Found 127 objects to send. (50 ms)Receiving objects: 100% (127/127), 56.67 KiB | 2.58 MiB/s, done.Resolving deltas: 100% (15/15), done.

   If you're instead prompted to verify a fingerprint, readStep 2: Add the public key to Azure DevOps again. For other problems, read the section onQuestions and troubleshooting.

Questions and troubleshooting

Q: My SSH key has expired, what should I do?

A: Therecommended course of action is to follow the steps above tocreate and upload a new SSH key.

As an alternative option, a Project Collection Admin can disable the policy that validates the SSH key expiration date.By default, the Validate SSH key expiration policy is enabled. For more information, seeSSH key policies.

You automatically receive a notification 7 days prior and when your key expires.Along with these notifications you might also see the messaging below:

remote: Authentication failed: your SSH key has expired. To restore access, visit https://aka.ms/ado-ssh-public-key-expired for guidance.remote: Public key authentication failed.fatal:  Could not read from remote repository.

Q: I see ssh-rsa related warnings. What should I do?

A: There are two different warning messages could see:

ssh-rsa is about to be deprecated and your request has been throttled. Please use rsa-sha2-256 or rsa-sha2-512 instead. Your session will continue automatically. For more details see https://devblogs.microsoft.com/devops/ssh-rsa-deprecation.

Or

You’re using ssh-rsa that is about to be deprecated and your request has been blocked intentionally. Any SSH session using ssh-rsa is subject to brown out (failure during random time periods). Please use rsa-sha2-256 or rsa-sha2-512 instead. For more details see https://devblogs.microsoft.com/devops/ssh-rsa-deprecation.

If you modified your SSH config to downgrade your security settings for Azure DevOps by adding the following to your~/.ssh/config (%UserProfile%\.ssh\config on Windows) file:

Host ssh.dev.azure.com vs-ssh.visualstudio.com  HostkeyAlgorithms +ssh-rsa

Remove these lines now and make surersa-sha2-256 and/orrsa-sha2-512 are allowed.

For more information, see theblog post.

Q: SSH can't establish a connection. What should I do?

A: There are multiple different problems that you could experience:

• Use of unsupported ssh-rsa

  You’re using ssh-rsa that is unsupported. Please use rsa-sha2-256 or rsa-sha2-512 instead. For more details see https://devblogs.microsoft.com/devops/ssh-rsa-deprecation.

  If you modified your SSH config to downgrade your security settings for Azure DevOps by adding the following to your~/.ssh/config (%UserProfile%\.ssh\config on Windows) file:

  Host ssh.dev.azure.com vs-ssh.visualstudio.com   HostkeyAlgorithms +ssh-rsa

  Remove these lines now and make surersa-sha2-256 and/orrsa-sha2-512 are allowed.

  For more information, see theblog post.

• No matching host key

  This problem shouldn't happen on Azure DevOps Service or on more recent Azure DevOps Server versions as mentioned in theblog post.

  Unable to negotiate with <IP> port 22: no matching host key type found. Their offer: ssh-rsa

  Modify your SSH config to downgrade your security settings for Azure DevOps by adding the following to your~/.ssh/config (%UserProfile%\.ssh\config on Windows) file:

  Host ssh.dev.azure.com vs-ssh.visualstudio.com   HostkeyAlgorithms +ssh-rsa

  Important

  OpenSSH deprecated thessh-rsa public key signature algorithm inversion 8.2 and disabled it by default inversion 8.8.

• No matching MAC

  Unable to negotiate with <IP> port 22: no matching MAC found. Their offer: hmac-sha2-256,hmac-sha2-512

  Modify your SSH config to downgrade your security settings for Azure DevOps by adding the following to your~/.ssh/config (%UserProfile%\.ssh\config on Windows) file:

  Host ssh.dev.azure.com vs-ssh.visualstudio.com   MACs +hmac-sha2-512,+hmac-sha2-256

• No matching key exchange method

  Unable to negotiate with <IP> 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256

  Modify your SSH config to downgrade your security settings for Azure DevOps by adding the following to your~/.ssh/config (%UserProfile%\.ssh\config on Windows) file:

  Host ssh.dev.azure.com vs-ssh.visualstudio.com   KexAlgorithms +diffie-hellman-group-exchange-sha256,+diffie-hellman-group14-sha1,+diffie-hellman-group1-sha1

  Important

  The key exchange algorithmdiffie-hellman-group1-sha1 has been disabled by default inversion 6.9 of OpenSSH anddiffie-hellman-group14-sha1 inversion 8.2.

Q: How can I have Git remember the passphrase for my key?

A: You can use an SSH Agent. Linux, macOS, and Windows (starting withWindows 10 (build 1809) or by using Git for Windows with Git Bash) all ship with an SSH Agent. The SSH Agent can be used to cache your SSH keys for repeated use. Consult your SSH vendor's manual for details on how to use it.

Q: I usePuTTY as my SSH client and generated my keys with PuTTYgen. Can I use these keys with Azure DevOps Services?

A: Yes. Load the private key with PuTTYgen, go toConversions menu, and selectExport OpenSSH key.Save the private key file and then follow the steps toset up nondefault keys.Copy your public key directly from the PuTTYgen window and paste into theKey Data field in your security settings.

Q: How can I verify that the public key I uploaded is the same key as my local key?

A: You can verify the fingerprint of the public key uploaded with the one displayed in your profile through the followingssh-keygen command run against your public key usingthe command line. You need to change the path and the public key filename if you aren't using the defaults.

ssh-keygen -l -E md5 -f <path_to_your_public_key> -- use this for MD5 fingerprintsssh-keygen -l -E sha256 -f <path_to_your_public_key> -- use this for SHA-256 fingerprints

You can then compare the signature to the one in your profile. This check is useful if you have connection problems or have concerns about incorrectlypasting in the public key into theKey Data field when adding the key to Azure DevOps.

Q: How can I start using SSH in a repository where I'm currently using HTTPS?

A: You need to update theorigin remote in Git to change over from an HTTPS to SSH URL. Once you have theSSH clone URL, run the following command:

git remote set-url origin <SSH URL to your repository>

Git commands accessing the remote calledorigin uses SSH.

Q: I'm using Git LFS with Azure DevOps Services and I get errors when pulling files tracked by Git LFS.

A: Azure DevOps Services currently doesn't support LFS over SSH. Use HTTPS to connect to repos with Git LFS tracked files.

Q: How can I use a nondefault key location, that is, not ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub?

A: To use a key stored in a different place than the default, perform these two tasks:

1. The keys must be in a folder that only you can read or edit. If the folder has wider permissions, SSH doesn't use the keys.

2. You must let SSH know the location of the key, for example, by specifying it as an "Identity" in the SSH config:

   Host ssh.dev.azure.com  IdentityFile ~/.ssh/id_rsa_azure  IdentitiesOnly yes

TheIdentitiesOnly yes setting ensures that SSH doesn't use any other available identity to authenticate. This setting is particular important if more than one identity is available.

Q: I have multiple SSH keys. How do I use the correct SSH key for Azure DevOps?

A: Generally, when you configure multiple keys for an SSH client, the client attempts to authenticate with each key sequentially until the SSH server accepts one.

However, this approach doesn't work with Azure DevOps due to technical constraints related to the SSH protocol and the structure of our Git SSH URLs. Azure DevOps accepts the first key provided by the client during authentication. If this key is invalid for the requested repository, the request fails without attempting any other available keys, resulting in the following error:

remote: Public key authentication failed.fatal: Could not read from remote repository.

For Azure DevOps, you need to configure SSH to explicitly use a specific key file. The procedure is the same as when using a key stored in anondefault location. Tell SSH to use the correct SSH key for the Azure DevOps host.

Q: How do I use different SSH keys for different organizations on Azure DevOps?

A: Azure DevOps blindly accepts the first key that the client provides during authentication. If that key is invalid for the requested repository, the request fails with the following error:

remote: Public key authentication failed.fatal: Could not read from remote repository.

This failure is because all Azure DevOps URLs share the same hostname (ssh.dev.azure.com), making it impossible for SSH to distinguish between them by default. However, you can modify your SSH configuration to differentiate between different organizations by providing distinct keys for each. Use host aliases to create separateHost sections in your SSH configuration file.

# The settings in each Host section are applied to any Git SSH remote URL with a# matching hostname.# Generally:# * SSH uses the first matching line for each parameter name, e.g. if there's#   multiple values for a parameter across multiple matching Host sections# * "IdentitiesOnly yes" prevents keys cached in ssh-agent from being tried before#   the IdentityFile values we explicitly set.# * On Windows, ~/.ssh/your_private_key maps to %USERPROFILE%\.ssh\your_private_key,#   e.g. C:\Users\<username>\.ssh\your_private_key.# Imagine that we have the following two SSH URLs:# * git@ssh.dev.azure.com:v3/Fabrikam/Project1/fab_repo#   * For this, we want to use `fabrikamkey`, so we'll create `devops_fabrikam` as#     a Host alias and tell SSH to use `fabrikamkey`.# * git@ssh.dev.azure.com:v3/Contoso/Project2/con_repo#   * For this, we want to use `contosokey`, so we'll create `devops_contoso` as#     a Host alias and tell SSH to use `contosokey`.## To set explicit keys for the two host aliases and to tell SSH to use the correct# actual hostname, add the next two Host sections:Host devops_fabrikam  HostName ssh.dev.azure.com  IdentityFile ~/.ssh/private_key_for_fabrikam  IdentitiesOnly yesHost devops_contoso  HostName ssh.dev.azure.com  IdentityFile ~/.ssh/private_key_for_contoso  IdentitiesOnly yes

Afterwards, instead of using the real URLs, tell Git you want to use these URLs for each repository as remote by replacing the hostname in the existing remotes withdevops_fabrikam anddevops_contoso respectively. For example,git@ssh.dev.azure.com:v3/Fabrikam/Project1/fab_repo would becomegit@devops_fabrikam:v3/Fabrikam/Project1/fab_repo.

Q: What notifications may I receive about my SSH key(s)?

A: There are a few notifications you may receive regarding your SSH key(s).

• A new SSH key was added to your organization

• An SSH key associated with your account will expire in 7 days and will not be valid for authentication.

• An SSH key associated with your account has expired and is no longer valid for authentication.

  Example notification

  

Q: What do I do if I believe that someone other than me is adding SSH keys on my account?

A: If you receive an SSH key registration notification you didn't initiate, your credentials could be compromised.

The next step would be to investigate whether or not your password is compromised. Changing your password is always a good first step to defend against this attack vector. If you're a Microsoft Entra user, talk with your administrator to check if your account was used from an unknown source/location.

Q: What do I do if I'm still prompted for my password andGIT_SSH_COMMAND="ssh -v" git fetch showsno mutual signature algorithm orcorresponding algo not in PubkeyAcceptedAlgorithms?

A: Some Linux distributions, such as Fedora Linux, have crypto policies that require stronger SSH signature algorithms than Azure DevOps supports (as of January 2021). There's an openfeature request to add this support.

You can work around the issue by adding the following code to your SSH configuration (~/.ssh/config):

Host ssh.dev.azure.com vs-ssh.visualstudio.com  PubkeyAcceptedKeyTypes +ssh-rsa