Azure Repos offers users two ways to access a git repository: HTTPS and SSH. To utilize SSH, users must generate a key pair using supported encryption methods. Previously, only SSH-RSA was supported, requiring users to enable it. However, starting in 2022, Azure DevOps Service began supporting RSA-SHA2-256 and RSA-SHA2-512. This support was subsequently extended to Azure DevOps Server 2022 and later to Azure DevOps Server 2020 and 2019 in August 2023.
Microsoft Azure is now phasing out support for SSH-RSA as an encryption method for connecting to Azure Repos via SSH. SSH-RSA is considered weak and has been deprecated by OpenSSH, requiring explicit enabling.
This change directly affects users of Azure DevOps Service who currently utilize SSH-RSA keys for repository connections via SSH.
For users of Azure DevOps Server, this change does not have immediate implications. However, it will affect you when upgrading to the next version of Azure DevOps Server 2022.3, expected to be released by the end of 2024. This upcoming version will no longer support SSH-RSA keys. If you're using any of the affected versions of Azure DevOps Server, we strongly recommend transitioning from SSH-RSA keys to more secure options like RSA-SHA2-256 or RSA-SHA2-512 keys.
- Azure DevOps Server 2019 Update 1.2 Patch 4 and later
- Azure DevOps Server 2020 Update 1.2 Patch 7 and later
- Azure DevOps Server 2022
Transitioning to enhanced ciphers, in line with the current Azure DevOps Server versions, will forestall potential complications during future server upgrades.
The phasing out of SSH-RSA ciphers in Azure DevOps Service will occur through four distinct phases, outlined below.
Phase I – User Opt-In
Users of Azure DevOps Service have the option to transition from SSH-RSA to more secure ciphers supported by Azure Repos. These include RSA-SHA2-256 or RSA-SHA2-512. To make this transition, users can follow these steps:
1. Generate a new public-private key pair by executing either ssh-keygen -t rsa-sha2-256 or ssh-keygen -t rsa-sha2-512.
2. Add the generated key to the SSH agent using the command ssh-add <PathToYourPrivateKey>.
3. Modify the local SSH configuration to prioritize the key generated in step 1 over the SSH-RSA key. This ensures the use of more secure algorithms instead of SSH-RSA.
4. Upload the public part of the key generated in step 1 to Azure DevOps.
Phase II – Throttling/Delaying
Commencing in early March 2024, we will implement a delay for any SSH operation utilizing SSH-RSA to secure the SSH channel. Users will receive a warning message in the command line output indicating:
"ssh-rsa is nearing deprecation, and your request has been throttled. Please utilize rsa-sha2-256 or rsa-sha2-512 instead. Your session will resume automatically.
Phase III – Brown Out
Beginning in April 2024, we will initiate the cessation of any operation employing SSH-RSA to secure the channel. These failures will occur in several stages, each characterized by varying intervals and frequencies of failure, with intervals commencing at random times throughout the day. Each stage will persist for approximately one week.
| Stage | Interval Length | Number of Intervals per Day | Total Failure Time per Day |
|---|---|---|---|
| 1 | 30 minutes | 1 | 30 minutes |
| 2 | 1 hour | 3 | 3 hours |
| 3 | 2 hours | 4 | 8 hours |
| 4 | 1 hour | 12 | 12 hours |
To provide clarity to users regarding the cause of the SSH operation failure, we will include an error message in the command line output:
"You are employing ssh-rsa, which is nearing deprecation, and your request has been intentionally blocked. SSH sessions using SSH-RSA are subject to brownouts (failures during random time periods). Please transition to rsa-sha2-256 or rsa-sha2-512 instead.
Phase IV – Removal of SSH-RSA
In the latter part of Q2 2024, we will commence the discontinuation of any operation utilizing SSH-RSA to secure the SSH channel. To provide clarity to users regarding the reason for the SSH operation failure, we will include the following error message in the command line output:
"You are utilizing ssh-rsa, which is no longer supported. Please transition to rsa-sha2-256 or rsa-sha2-512 instead."
0 Comments