Bohdan Janousek

Azure Repos provides two methods for users to access a git repository in Azure Repos – HTTPS and SSH. To use SSH, you need to create a key pair using one of the supported encryption methods. In the past we’ve been supporting only SSH-RSA and we’ve asked users to enable the SSH-RSA here. This is not required to be done anymore as in 2022 we’ve added support for the RSA-SHA2-256 and RSA-SHA2-512 to Azure DevOps Service. Later that year, the same support was also added to Azure DevOps Server 2022 and in August 2023 to Azure DevOps Server 2020 and 2019. The relevant release notes are linked here:

We are now announcing the deprecation of SSH-RSA as a supported encryption method for connecting to Azure Repos using SSH.

The SSH-RSA is a weak encryption method. It is also already deprecated by OpenSSH and cannot be used unless enabled explicitly.

This change impacts you immediately if you are using Azure DevOps Service and are using SSH-RSA keys to connect to repos through SSH.

If you use Azure DevOps Server, then this change does not currently impact you. However, this change will impact you when you upgrade to the next version of Azure DevOps Server 2022.3 (expected to be released towards the end of 2024), since that version will not support SSH-RSA keys. If you use any of the following versions of Azure DevOps Server, you are strongly encouraged to move from SSH-RSA keys to more secure RSA-SHA2-256 or RSA-SHA2-512 keys:

  • Azure DevOps Server 2019 Update 1.2 Patch 4 and later
  • Azure DevOps Server 2020 Update 1.2 Patch 7 and later
  • Azure DevOps Server 2022

Migrating to more secure ciphers as supported by current versions of Azure DevOps Server will prevent issues in the future when you upgrade to newer versions of the server.

The deprecation of SSH-RSA ciphers in Azure DevOps Service will be done in four phases as explained below.

Phase I – User opt-in

Any user of Azure DevOps Service can migrate from SSH-RSA to more secure ciphers supported by Azure Repos. These are RSA-SHA2-256 or RSA-SHA2-512. To do so, users can follow these steps:

  1. Generate new public private key either buy running ssh-keygen -t rsa-sha2-256 or ssh-keygen -t rsa-sha2-512.
  2. Add the key generated in point 1 to the SSH agent. This can be done by running command ssh-add .
  3. Change the local SSH configuration so the key generated in point 1 is listed before the SSH-RSA key. This is to ensure more secure algorithms will be used instead of SSH-RSA.
  4. Upload the public part of the key generated in point 1 to Azure DevOps. See this how to do so.

Phase II – Throttling/delaying

Starting early March 2024, we will start to delay any SSH operation where the SSH-RSA was used to secure the SSH channel. There will be a warning shown in the command line output stating:

“ssh-rsa is about to be deprecated and your request has been throttled. Please use rsa-sha2-256 or rsa-sha2-512 instead. Your session will continue automatically. For more details see https://devblogs.microsoft.com/devops/ssh-rsa-deprecation.”

Phase III – Brown out

In April 2024, we will start to fail the executions of any operation where the SSH-RSA was used to secure the channel. We will execute the failures in a couple of stages each with different number of failure intervals and different length of the individual interval. The intervals will start at random times during the day. Each stage will last for about a week.

StageInterval lengthCount of intervals in a dayTotal failure time in a day
130 minutes130 minutes
21 hour33 hours
32 hours48 hours
41 hour1212 hours

To ensure it is clear to user why the SSH operation failed we will add an error message to command line output. The error message will be:

“You’re using ssh-rsa that is about to be deprecated and your request has been blocked intentionally. Any SSH session using SSH-RSA is subject to brown out (failure during random time periods). Please use rsa-sha2-256 or rsa-sha2-512 instead. For more details see https://devblogs.microsoft.com/devops/ssh-rsa-deprecation.”

Phase IV – SSH-RSA removal

Late in Q2 2024, we will start failing the execution of any operation where the SSH-RSA was used to secure the SSH channel. To ensure it is clear to user why the SSH operation failed we will add to command line output the following error message:

“You’re using ssh-rsa that is unsupported. Please use rsa-sha2-256 or rsa-sha2-512 instead. For more details see https://devblogs.microsoft.com/devops/ssh-rsa-deprecation.”

FAQ

Q: I am running the Azure DevOps Server. Can I use SSH-RSA going forward?
A: Yes, you can for now. Nonetheless, when you are on any version of Azure DevOps Server supporting new ciphers, then you should consider moving to these more secure ones. See the Phase I – User opt-in chapter for more details how to do so.

Q: I am running Azure DevOps Server version without support for the new ciphers, but I do want to use a more secure cipher than SSH-RSA. Can I do that?
A: Yes, but you need to upgrade to any version of Azure DevOps Server supporting these more secure ciphers.

Q: Are there plans to remove support for the SSH-RSA also from the Azure DevOps Server?
A: Yes. In a future version we will remove the support for SSH-RSA from Azure DevOps Server. So, please consider moving to a more secure cipher. See the Phase I – User opt-in chapter for more details how to do so.

Q: Will I be able to use the SSH-RSA to connect to Azure DevOps Server after you remove support for SSH-RSA?
A: Yes, but this will require your organization administrators or IT specialists to take special action. Without that, you will be able to use only the supported ciphers.