Use SSH key authentication

Azure DevOps Services | Azure DevOps Server 2022 | Azure DevOps Server 2022 | TFS 2018

Connect to your Git repos through SSH on macOS, Linux, or Windows to securely connect using HTTPS authentication. On Windows, nosotros recommended the use of Git Credential Managing director or Personal Admission Tokens.

Important

SSH URLs take changed, but old SSH URLs will continue to piece of work. If you have already fix SSH, you should update your remote URLs to the new format:

  • Verify which remotes are using SSH by running git remote -v in your Git client.
  • Visit your repository on the web and select the Clone button in the upper right.
  • Select SSH and copy the new SSH URL.
  • In your Git customer, run: git remote set-url <remote proper noun, e.g. origin> <new SSH URL>. Alternatively, in Visual Studio, go to Repository Settings, and edit your remotes.

Note

Every bit of Visual Studio 2017, SSH can be used to connect to Azure DevOps Git repos.

How SSH key authentication works

SSH public central authentication works with an disproportionate pair of generated encryption keys. The public cardinal is shared with Azure DevOps and used to verify the initial ssh connexion. The private key is kept safe and secure on your arrangement.

Set up SSH central authentication

The following steps cover configuration of SSH key hallmark on the post-obit platforms:


  • Linux
  • macOS running at least Leopard (10.5)
  • Windows systems running Git for Windows

Configure SSH using the command line. fustigate is the common trounce on Linux and macOS and the Git for Windows installation adds a shortcut to Git Bash in the Showtime menu. Other shell environments will work, merely are not covered in this commodity.

Step i: Create your SSH keys

Note

If y'all take already created SSH keys on your system, skip this step and go to configuring SSH keys.

The commands here will let you lot create new default SSH keys, overwriting existing default keys. Before continuing, check your ~/.ssh folder (for example, /domicile/jamal/.ssh or C:\Users\jamal\.ssh) and look for the post-obit files:

  • id_rsa
  • id_rsa.pub

If these files exist, then you take already created SSH keys. You can overwrite the keys with the following commands, or skip this step and get to configuring SSH keys to reuse these keys.

Create your SSH keys with the ssh-keygen control from the bash prompt. This control will create a 3072-bit RSA key for use with SSH. You can give a passphrase for your private key when prompted—this passphrase provides another layer of security for your individual key. If you lot give a passphrase, be certain to configure the SSH amanuensis to cache your passphrase and so you don't have to enter it every time you lot connect.

              $ ssh-keygen -C "jamal@fabrikam.com" Generating public/private rsa key pair. Enter file in which to salvage the key (/c/Users/jamal/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter aforementioned passphrase once again: Your identification has been saved in /c/Users/jamal/.ssh/id_rsa. Your public cardinal has been saved in /c/Users/jamal/.ssh/id_rsa.pub. The cardinal fingerprint is: SHA256:******************************************* jamal@fabrikam.com The key's randomart image is: +---[RSA 3072]----+ |+.   +yX*o .     | |... ..E+*=o      | |  ..o.=Eastward=.o      | |   . * =.o .     | |    . S o o..    | |       + .oo     | |        Southward+.  .   | |        ..+.+    | |          o*..   | +----[SHA256]-----+                          

This command produces the two keys needed for SSH authentication: your private key ( id_rsa ) and the public key ( id_rsa.pub ). It is important to never share the contents of your individual key. If the private central is compromised, attackers tin utilise information technology to trick servers into thinking the connexion is coming from you.

Step 2: Add together the public key to Azure DevOps Services/TFS

Associate the public primal generated in the previous step with your user ID.

  1. Open your security settings by browsing to the web portal and selecting your avatar in the upper correct of the user interface. Select SSH public keys in the menu that appears.

    Screenshot that shows the SSH public keys menu item and the user avatar selected in Azure DevOps Services.

  2. Select + New Key.

    Accessing Security Configuration in Azure DevOps Services

  3. Re-create the contents of the public fundamental (for case, id_rsa.pub) that you lot generated into the Public Key Data field.

    Important

    Avoid adding whitespace or new lines into the Cardinal Data field, as they can cause Azure DevOps Services to utilize an invalid public key. When pasting in the key, a newline often is added at the end. Exist sure to remove this newline if information technology occurs.

    Configuring Public Key in Azure DevOps Services

  4. Requite the key a useful description (this description will be displayed on the SSH public keys folio for your profile) then that you can retrieve it later. Select Salvage to shop the public central. Once saved, y'all cannot alter the key. Y'all tin delete the primal or create a new entry for some other key. In that location are no restrictions on how many keys you can add to your user contour. Too note that SSH keys stored in Azure DevOps elapse after five years. If your fundamental expires, you may upload a new key or the same ane to go along accessing Azure DevOps via SSH.

  5. Test the connexion past running the following command: ssh -T git@ssh.dev.azure.com. If everything is working correctly, you'll receive a response which says: remote: Beat out access is not supported. If not, see the section on Questions and troubleshooting.

Step 2: Add together the public primal to Azure DevOps

Associate the public primal generated in the previous footstep with your user ID.

  1. Open up your security settings by browsing to the web portal and selecting your avatar in the upper correct of the user interface. Select Security in the menu that appears.

    Accessing User Profile in Azure DevOps Services

  2. Select + New Fundamental.

    Accessing Security Configuration in Azure DevOps Services

  3. Re-create the contents of the public key (for case, id_rsa.pub) that you generated into the Public Central Data field.

    Important

    Avert adding whitespace or new lines into the Key Data field, as they can cause Azure DevOps Services to use an invalid public cardinal. When pasting in the key, a newline often is added at the end. Exist certain to remove this newline if it occurs.

    Configuring Public Key in Azure DevOps Services

  4. Requite the key a useful description (this description volition be displayed on the SSH public keys folio for your profile) so that you can retrieve information technology afterwards. Select Save to store the public key. One time saved, you cannot change the fundamental. Y'all can delete the key or create a new entry for another key. There are no restrictions on how many keys you tin add to your user profile.

  5. Test the connection by running the following control: ssh -T git@ssh.dev.azure.com. If everything is working correctly, you'll receive a response which says: remote: Shell admission is not supported. If not, see the section on Questions and troubleshooting.

Step 3: Clone the Git repository with SSH

  1. Copy the SSH clone URL from the web portal. In this example, the SSL clone URL is for a repo in an organisation named fabrikam-fiber, as indicated by the showtime part of the URL subsequently dev.azure.com.

    Azure Repos SSH Clone URL

  2. Run git clone from the command prompt.

                      git clone git@ssh.dev.azure.com:v3/fabrikam-fiber/FabrikamFiber/FabrikamFiber                                  

SSH may display the server's SSH fingerprint and ask you lot to verify it. You lot should verify that the displayed fingerprint matches one of the fingerprints in the SSH public keys page.

SSH displays this fingerprint when it connects to an unknown host to protect yous from man-in-the-centre attacks. Once you take the host'due south fingerprint, SSH volition not prompt you lot over again unless the fingerprint changes.

              $ git clone git@ssh.dev.azure.com:v3/fabrikam-cobweb/FabrikamFiber/FabrikamFiber Cloning into 'FabrikamFiber'... The authenticity of host 'ssh.dev.azure.com (65.52.8.37)' can't be established. RSA key fingerprint is SHA256:******************************************** Are you certain you want to continue connecting (yes/no)? yeah Warning: Permanently added 'ssh.dev.azure.com,65.52.eight.37' (RSA) to the list of known hosts. Enter passphrase for central '/c/Users/jamal/.ssh/id_rsa': remote: Azure Repos remote: Found 127 objects to send. (50 ms) Receiving objects: 100% (127/127), 56.67 KiB | 2.58 MiB/s, washed. Resolving deltas: 100% (15/15), done.                          

When you are asked if you desire to continue connecting, blazon yes. Git will clone the repo and ready the origin remote to connect with SSH for future Git commands.

Tip

To foreclose problems, Windows users should run a control to have Git reuse their SSH fundamental passphrase.

Questions and troubleshooting

Q: Afterwards running git clone, I go the following error. What should I do?

              Host key verification failed.  fatal: Could non read from remote repository.                          

A: Manually record the SSH key past running: ssh-keyscan -t rsa domain.com >> ~/.ssh/known_hosts

Q: How can I have Git remember the passphrase for my cardinal on Windows?

A: Run the post-obit command included in Git for Windows to start up the ssh-agent process in PowerShell or the Windows Command Prompt. ssh-amanuensis will cache your passphrase and so you don't have to provide information technology every time you lot connect to your repo.

              start-ssh-agent.cmd                          

If you're using the Bash trounce (including Git Bash), showtime ssh-amanuensis with:

              eval `ssh-agent`                          

Q: I apply PuTTY as my SSH client and generated my keys with PuTTYgen. Tin can I use these keys with Azure DevOps Services?

A: Yes. Load the private key with PuTTYgen, go to Conversions menu and select Export OpenSSH fundamental. Save the private key file and then follow the steps to prepare non-default keys. Re-create your public key directly from the PuTTYgen window and paste into the Key Data field in your security settings.

Q: How can I verify that the public key I uploaded is the same key as I accept locally?

A: You lot can verify the fingerprint of the public cardinal uploaded with the 1 displayed in your contour through the post-obit ssh-keygen command run against your public key using the fustigate control line. You will demand to alter the path and the public key filename if you are not using the defaults.

              ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub                          

You can then compare the MD5 signature to the i in your profile. This check is useful if you have connectedness bug or have concerns nearly incorrectly pasting in the public key into the Key Information field when adding the key to Azure DevOps Services.

Q: How can I start using SSH in a repository where I am currently using HTTPS?

A: You lot'll need to update the origin remote in Git to change over from a HTTPS to SSH URL. In one case you have the SSH clone URL, run the following command:

              git remote set-url origin git@ssh.dev.azure.com:v3/fabrikam-fiber/FabrikamFiber/FabrikamFiber                          

You can now run whatever Git command that connects to origin.

Q: I'm using Git LFS with Azure DevOps Services and I get errors when pulling files tracked by Git LFS.

A: Azure DevOps Services currently doesn't support LFS over SSH. Utilise HTTPS to connect to repos with Git LFS tracked files.

Q: How can I use a non-default cardinal location, i.east. not ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub?

A: To use keys created with ssh-keygen in a different identify than the default, perform these two tasks:

  1. The keys must exist in a folder that simply y'all can read or edit. If the folder has wider permissions, SSH volition non use the keys.
  2. You must let SSH know the location of the keys. You brand SSH aware of keys through the ssh-add command, providing the full path to the private key.
              ssh-add together /home/jamal/.ssh/id_jamal.rsa                          

On Windows, before running ssh-add together, you lot will demand to run the following command from included in Git for Windows:

              get-go-ssh-amanuensis.cmd                          

This command runs in both PowerShell and the Command Prompt. If y'all are using Git Fustigate, the command you need to use is:

              eval `ssh-agent`                          

You can notice ssh-add together as role of the Git for Windows distribution and too run it in any shell environs on Windows.

On macOS and Linux you likewise must have ssh-agent running earlier running ssh-add, but the command environment on these platforms usually takes care of starting ssh-amanuensis for you.

Q: I have multiple SSH keys. How do I utilize different SSH keys for different SSH servers or repos?

A: More often than not, if you configure multiple keys for an SSH client and connect to an SSH server, the client can try the keys one at a fourth dimension until the server accepts one.

However, this doesn't piece of work with Azure DevOps for technical reasons related to the SSH protocol and how our Git SSH URLs are structured. Azure DevOps volition blindly take the first key that the customer provides during authentication. If that key is invalid for the requested repo, the request will fail with the following error:

                remote: Public key hallmark failed. fatal: Could not read from remote repository.                              

For Azure DevOps, you'll need to configure SSH to explicitly utilise a specific central file. I way to practise this to edit your ~/.ssh/config file (for example, /home/jamal/.ssh or C:\Users\jamal\.ssh) equally follows:

                # The settings in each Host department are applied to whatever Git SSH remote URL with a # matching hostname. # Generally: # * SSH uses the first matching line for each parameter name, e.g. if there's #   multiple values for a parameter beyond multiple matching Host sections # * "IdentitiesOnly yes" prevents keys buried in ssh-agent from being tried before #   the IdentityFile values we explicitly set up. # * On Windows, ~/.ssh/your_private_key maps to %USERPROFILE%\.ssh\your_private_key, #   e.1000. C:\Users\<username>\.ssh\your_private_key.  # About mutual scenario: to utilize the same key across all hosted Azure DevOps # organizations, add a Host entry similar this: Host ssh.dev.azure.com   IdentityFile ~/.ssh/your_private_key   IdentitiesOnly yes  # This model will besides work if you still use the older SSH URLs with a # hostname of vs-ssh.visualstudio.com: Host vs-ssh.visualstudio.com   IdentityFile ~/.ssh/your_private_key   IdentitiesOnly yes  # Less mutual scenario: if you need different keys for different organizations, # yous'll need to utilise host aliases to create separate Host sections. # This is because all hosted Azure DevOps URLs have the aforementioned hostname # (ssh.dev.azure.com), so SSH has no style to distinguish them by default. # # Imagine that nosotros have the following 2 SSH URLs: # * git@ssh.dev.azure.com:v3/Fabrikam/Project1/fab_repo #   * For this, we desire to use `fabrikamkey`, so nosotros'll create `devops_fabrikam` as #     a Host alias and tell SSH to use `fabrikamkey`. # * git@ssh.dev.azure.com:v3/Contoso/Project2/con_repo #   * For this, we want to use `contosokey`, and so we'll create `devops_contoso` as #     a Host alias and tell SSH to utilize `contosokey`. # # To set explicit keys for the two host aliases and to tell SSH to use the correct # actual hostname, add the adjacent two Host sections: Host devops_fabrikam   HostName ssh.dev.azure.com   IdentityFile ~/.ssh/private_key_for_fabrikam   IdentitiesOnly yep Host devops_contoso   HostName ssh.dev.azure.com   IdentityFile ~/.ssh/private_key_for_contoso   IdentitiesOnly yes # # Then, instead of using the real URLs, tell Git you want to use these URLs: # * git@devops_fabrikam:v3/Fabrikam/Project1/fab_repo # * git@devops_contoso:v3/Contoso/Project2/con_repo #  # At the end of the file, you can put global defaults for other SSH hosts you # may connect to.  Note that "*" also matches any hosts that lucifer the sections # above, and recall that SSH uses the showtime matching line for each parameter name. Host *                              
                # The settings in each Host section are practical to any Git SSH remote URL with a # matching hostname. # More often than not: # * SSH uses the first matching line for each parameter name, e.thou. if there'southward #   multiple values for a parameter across multiple matching Host sections # * "IdentitiesOnly yes" prevents keys buried in ssh-agent from being tried before #   the IdentityFile values nosotros explicitly set. # * On Windows, ~/.ssh/your_private_key maps to %USERPROFILE%\.ssh\your_private_key, #   e.g. C:\Users\<username>\.ssh\your_private_key.  # Say your on-premises Azure DevOps Server case has SSH URLs like this: #   ssh://someHost:22/someCollection/some_project/_git/some_repo # Add the following Host section: Host someHost   IdentityFile ~/.ssh/your_private_key   IdentitiesOnly yes  # At the cease of the file, yous tin can put global defaults for other SSH hosts you # may connect to.  Annotation that "*" also matches any hosts that match the sections # above, and call back that SSH uses the beginning matching line for each parameter name. Host *                              

Q: How do I set errors that mention "no matching cardinal exchange method establish"?

A: Git for Windows ii.25.1 shipped with a new version of OpenSSH which removed some primal commutation protocols past default. Specifically, diffie-hellman-group14-sha1 has been identified as problematic for some Azure DevOps Server and TFS customers. You can piece of work effectually the problem past adding the following to your SSH configuration (~/.ssh/config):

                Host <your-azure-devops-host>     KexAlgorithms +diffie-hellman-group14-sha1                              

Replace <your-azure-devops-host> with the hostname of your Azure DevOps or TFS server, like tfs.mycompany.com.

Q: What notifications may I receive near my SSH keys?

A: Whenever you annals a new SSH Key with Azure DevOps Services, you will receive an email notification informing you that a new SSH key has been added to your account.

SSH notification example

Q: What practice I practice if I believe that someone other than me is calculation SSH keys on my business relationship?

A: If yous receive a notification of an SSH key beingness registered and you did not manually upload it to the service, your credentials may accept been compromised.

The next step would be to investigate whether or not your password has been compromised. Changing your password is always a skilful beginning step to defend against this assault vector. If you're an Azure Agile Directory user, talk with your administrator to bank check if your account was used from an unknown source/location.

Q: What do I do if I'm however prompted for my password and GIT_SSH_COMMAND="ssh -v" git fetch shows no mutual signature algorithm?

A: Some Linux distributions, such as Fedora Linux, have crypto policies that require stronger SSH signature algorithms than Azure DevOps supports (as of January 2021). There'southward an open feature request to add this support.

Yous can work around the issue past adding the following code to your SSH configuration (~/.ssh/config):

              Host ssh.dev.azure.com   PubkeyAcceptedKeyTypes=ssh-rsa                          

Replace ssh.dev.azure.com with the correct host name if yous apply Azure DevOps Server.