Supporting SHA-2 algorithm in SSH on Azure DevOps

Jimson Chalissery [MSFT]

With the release of OpenSSH 8.2 last month, connections to SSH servers using SHA-1 was disabled by default in the OpenSSH client. We understand that this move helps improve the security of SSH connections, by encouraging all users to adopt the SHA-2 class of algorithms, generally considered safer. However, this resulted in OpenSSH users not being able to connect to Azure DevOps, since Azure DevOps only supported SHA-1 class algorithms. Workaround was to use a flag to force the client to fall back to SHA-1.

We’ve now remedied the situation by enabling support for a SHA-2 class key exchange algorithm – ‘diffie-hellman-group-exchange-sha256’. This will now allow users to connect to Azure DevOps with the OpenSSH 8.2 client without additional steps.

We introduced this change to the Azure DevOps Services on March 6, 2020. We’re now bringing the same capability to Azure DevOps Server 2019 in the April 2020 patch. And we’re actively working to bring this to Azure DevOps Server 2018 via a patch in the next couple of months.

Thank you for your patience as we work through this.


Discussion is closed.

Feedback usabilla icon