Azure DevOps SSH-RSA Setup and Configuration

Azure DevOps SSH-RSA setup is a crucial step in securing your deployment process. SSH-RSA is a key pair that allows secure communication between your local machine and Azure DevOps.

To generate a new SSH-RSA key pair, you can use the ssh-keygen command in your terminal. This command will create a new pair of keys, a private key and a public key.

The private key should be kept secure and not shared with anyone, while the public key can be shared freely. In Azure DevOps, you can add the public key to your user account or a service connection to enable SSH access.

To use SSH key authentication, you first need to generate public/private key pairs for your client. The only SSH key type supported by Azure DevOps is RSA.

You can use ssh-keygen.exe to generate key files, specifying the RSA algorithm. If you don't specify an algorithm, Ed25519 is used, but for Azure DevOps, you should use RSA-SHA2-256 or RSA-SHA2-512.

The output from the command will display the following output, where username is your username: You can press Enter to accept the default, or specify a path and/or filename where you would like your keys to be generated.

At this point, you're prompted to use a passphrase to encrypt your private key files. The passphrase can be empty, but it's not recommended, as it provides two-factor authentication.

The private key files are the equivalent of a password and should be protected the same way. Never share the contents of your private key.

Here's a summary of the steps to generate SSH keys:

Note: The private key files should be kept secure and not shared with anyone.

Connecting to Azure DevOps is a crucial step in using SSH-RSA. You'll first need to create an SSH host in Azure.

To connect to your SSH host, click on the indicator on the bottom-left corner of the Status bar. This will bring up a list of Remote extension commands.

Choose the Connect to Host... command in the Remote-SSH section and enter connection information for your VM in the format user@hostname. The user is the username you set when adding the SSH public key to your VM.

Before connecting in Remote-SSH, you can verify you're able to connect to your VM via a command prompt using ssh user@hostname. If you run into an error, you may need to delete NRMS-Rule-106 from the Networking tab of your VM.

Once connected, you can interact with files and open folders on the remote machine. You can also use the bash shell to browse the file system on the VM.

To configure your SSH connections, open the Remote explorer and select SSH Targets. Here, you can save the hosts you connect to the most and access them from here instead of entering the user and hostname.

To prepare for a Git repository, you'll need to create a private key file, which you'll copy into Azure Pipelines. Copy the private key file created in the previous step, id_rsa, into Azure Pipelines -> Library -> Secure files, and rename it for easier use later on.

You'll also need to add the public key to your Azure DevOps settings. Under user settings, go to SSH public keys and select Add, giving a name and adding the contents of the file created id_rsa.pub. This can be renamed for easier use as well.

Here's a list of variables you'll need to create for your pipeline:

These variables can be stored as secrets in Azure Key Vault instead, accessed using the Azure Key Vault task in your pipeline.

To clone a Git repository, you'll need to use the SSH clone URL from the web portal. This URL is in the format dev.azure.com/{your organization}/{your project}.

The first step is to copy the SSH clone URL from the web portal.

You can then run the command `git clone` from the command prompt, followed by the SSH clone URL. For example, `git clone [email protected]:v3/fabrikam-fiber/FabrikamFiber/FabrikamFiber`.

If you're using an SSH Agent, you won't be prompted to enter your passphrase. However, if you aren't using an SSH Agent, you'll be prompted to enter your passphrase.

Here are the steps to clone a Git repository:

Note that if you're prompted to enter your passphrase, you can read the section on adding the public key to Azure DevOps to resolve the issue.

To prepare for a Git repository, you'll need to install an OpenSSH compatible SSH client, as PuTTY is not supported.

You'll also need to install Visual Studio Code, which is a popular code editor.

Having an Azure subscription is also required, so if you don't already have one, create a free account before you begin.

To generate a key pair, you can use the ssh-keygen command in a PowerShell console. This will create a private key and a public key under the %UserProfile%/.ssh directory.

If you used a passphrase when generating the key pair, make a note of it as you'll need it later.

You can also use the ssh-keyscan command to recover your "Known Hosts Entry" by running ssh-keyscan github.com in GitBash.

Troubleshooting Azure DevOps SSH issues can be frustrating, but there are some key things to keep in mind. If you're seeing multiple different problems, you can try verifying the fingerprint of the public key uploaded with the one displayed in your profile through the ssh-keygen command.

You might also need to update the origin remote in Git to change over from an HTTPS to SSH URL. This is especially important during the transition period from MD5 to SHA-256 hashes. As of August/September 2024, this is a good time to get ahead of the curve.

Azure DevOps blindly accepts the first key that the client provides during authentication, so make sure you're using the correct key for the requested repository. If not, the request will fail with an error.

If you're experiencing issues with SSH connections, you may see warning messages due to multiple different problems.

Azure DevOps uses SHA-256 hashes as of August/September 2024, so you may need to choose the correct function during the transition period.

To verify the fingerprint of your public key, run the ssh-keygen command against your public key using the command line, changing the path and filename if necessary.

You can update the origin remote in Git by changing from an HTTPS to SSH URL, then run the command to update the remote.

If you're using a key stored in a different location than the default, you'll need to specify the path to the key in your SSH config file.

Azure DevOps blindly accepts the first key provided during authentication, so if that key is invalid, the request will fail with an error message.

To resolve ssh-rsa related warnings, remove any lines in your SSH config file that downgrade security settings and ensure rsa-sha2-256 and/or rsa-sha2-512 are allowed.

Some Linux distributions, such as Fedora Linux, have crypto policies that require stronger SSH signature algorithms than Azure DevOps supports, which can cause connection problems.

To avoid access issues, your public key should be added to the repository or organization.

Passing your public key as plain text to the task configuration is not recommended. Instead, set a secret variable in your pipeline for the contents of your mykey.pub file.

Use the Secure File library in Azure Pipelines for the secret part of your key.

Your task should be created using a well-configured Install SSH Key task, such as the example provided.

For GitHub, follow the guide to add your public key, and for Azure DevOps Services, use the instructions to add the public key.

To use different SSH keys for different organizations on Azure DevOps, you need to modify your SSH configuration to provide distinct keys for each. This is because all Azure DevOps URLs share the same hostname, making it impossible for SSH to distinguish between them by default.

You can create separate Host sections in your SSH configuration file using host aliases. This allows you to provide unique keys for each organization. For example, you can use host aliases like devops_fabrikam and devops_contoso.

After modifying your SSH configuration, replace the hostname in the existing remotes with the host aliases. For instance, [email protected]:v3/Fabrikam/Project1/fab_repo would become git@devops_fabrikam:v3/Fabrikam/Project1/fab_repo. This way, you can use different SSH keys for different organizations on Azure DevOps.

As you navigate the world of SSH and Azure DevOps, you may encounter some common issues that can be frustrating to resolve. But don't worry, I've got you covered. Specifically, my understanding is that there is a distinction between key types and signature types.

The "ssh-rsa" key type is used by the "ssh-rsa", "rsa-sha2-256" and "rsa-sha2-512" signature types. This is important to know because the ssh-rsa signature type is being deprecated due to security concerns surrounding SHA-1.

If you're experiencing issues with ssh-rsa, you may need to upgrade your OpenSSH version. This is because some Linux distributions, such as Fedora Linux, have crypto policies that require stronger SSH signature algorithms than Azure DevOps supports.

You can verify the fingerprint of the public key uploaded with the one displayed in your profile through the following ssh-keygen command run against your public key using the command line. This is a useful check if you have connection problems or have concerns about incorrectly pasting in the public key into the Key Data field when adding the key to Azure DevOps.

Here are some key points to keep in mind:

Remember, it's always a good idea to verify the fingerprint of your public key to ensure everything is configured correctly. And if you're still experiencing issues, don't hesitate to reach out for help.