Accessing Azure DevOps Git repositories using SSH

Azure DevOps Server supports three secure ways to connect to your Git repositories—the first two work over HTTPS and the third option uses SSH:

• Git Credential Manager
• Personal Access Token
• SSH Public Keys

Git credential manager is the preferred option, since it lets you use the same credentials that you use with Azure DevOps Server web portal and also supports multi-factor authentication. In addition to supporting multi-factor authentication with Azure DevOps Server, the credential managers also support two-factor authentication for GitHub repositories. Once authenticated, the credential manager creates and caches a personal access token for future connections to the repo. Git commands that connect to this account won't prompt for user credentials until the token expires or is revoked through Azure DevOps Server. If you are accessing your Azure DevOps Server Git repositories through Team Explorer in Visual Studio, Visual Studio Code, IntelliJ and Android Studio with the Azure DevOps Server Plugin for IntelliJ, and Eclipse (with the Team Explorer Everywhere plugin), you'll be using the Git credentials manager under the hood. 

You are probably wondering, "What's the use case for using PAT or SSH keys for authentication?" If you are using an environment that doesn't have an integration plugin available with Azure DevOps Server, configure your IDE to use a Personal Access Token or SSH keys to connect to your repos in Azure DevOps Server. The Git credential manager creates and caches a PAT after initial authentication, which is what it uses for future connections to the repository. The difference here is that if you use PAT for authentication from an environment that doesn't support Git credential manager, then you're responsible for generating and managing the PAT yourself. PATs are a perfect fit when you're trying to authenticate from command-line tools, tasks in build pipelines, or using REST APIs. Personal access tokens are alternate passwords that you create in a secure way using your normal authentication, and they support expiration dates and the scope of access. You can put them into environment variables so that scripts do not hardcode passwords.  

If you are coming from a non-Windows ecosystem, you are probably more used to using SSH keys for authentication. SSH keys provide you with secure access to your Git repositories hosted in Azure DevOps Server without having to enter a password. SSH keys work across platforms: you can use one SSH key to connect to multiple systems, such as Azure DevOps Server, Azure DevOps, GitHub, and any other systems that support SSH access. This is especially useful for system administrators who need to access multiple systems and would otherwise find entering passwords tedious. SSH public key authentication works with a pair of generated encryption keys. The public key is shared and used to encrypt messages. The private key is kept safe and secure on your system and is used to read messages encrypted with the public key. As of Visual Studio 2017, Visual Studio provides native support for SSH access to Git repositories.  

Now that we are clear on the different types of secure access supported by Azure DevOps Server and when you should use which, let's see how to set up SSH public key access with Azure DevOps Server.