`ssh -T` to VSTS(Azure Devops) authenticates successfully, but `git clone` fails

Question

I recently created a second key to access Visual Studio Team Services,

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

so I now have two keys:

id_github
id_vsts

Both keys seem to have been picked up by ssh: ssh-add -l lists both of them.

Next, I added id_vsts.pub to my VSTS account security. The key was properly added because requesting SSH terminal access authenticates properly:

Authentication for user with identifier "" was successful against account "my_account". 
Shell is not supported.

However, when I git clone ssh://[user]@[host]:22/[repo], it fails!

Your Git command did not succeed.
Details:
        Public key authentication failed.

In an unexpected turn of events, if I use id_github's public key, the clone succeeds. What's going on?

What detail steps you did? Do you add public key to VSTS (Profile>Security>SSH public keys) https://www.visualstudio.com/en-us/docs/git/use-ssh-keys-to-authenticate#step-2--add-the-public-key-to-team-servicestfs — starian chen-MSFT, Mar 10 '17 at 06:09
Updated question with more detailed steps, let me know if this helps @starain-MSFT — aryzing, Mar 10 '17 at 07:30
Do you Force SSH Client To Use Given Private Key? https://www.cyberciti.biz/faq/force-ssh-client-to-use-given-private-key-identity-file/ — starian chen-MSFT, Mar 10 '17 at 08:14
No, I don't force the client. The command I use is `git clone ssh://[user]@[host]:22/[repo]`. The url is copied using the "copy to clipboard" icon. I was under the impression that all private keys are used in trying to authenticate. — aryzing, Mar 10 '17 at 08:20
What's the result if you force the client to use that private key. SSH -I? — starian chen-MSFT, Mar 10 '17 at 08:22
Thanks for the quick response, I'll try again when I get home. — aryzing, Mar 10 '17 at 08:27

score 13 · Answer 1 · answered Oct 28 '17 at 13:44

13

In my case, adding IdentitiesOnly yes to the ~/.ssh/config file for the VSO host did the trick.

answered Oct 28 '17 at 13:44

marius-O

395
3
15

1

Amazing, this did the trick for me too (after banging my head for an hour). – krsyoung Nov 23 '17 at 02:41
I looked for days for a solution! Github and anything else works fine, its only VSO (or whatever Microsoft is calling it, VSTS? TFS with Git?) that requires this setting. – Jack Davidson Sep 13 '18 at 18:29
1

Worked for me! More details here: https://superuser.com/a/272613/265248 – CodingYourLife Aug 15 '19 at 22:48

score 6 · Accepted Answer · answered Mar 10 '17 at 08:59

You need to force the client to use specific private key, otherwise it uses the default one.

To check which private key file used for a host, you can run

ssh -v [host(e.g. test@test.visualstudio.com)]

One way is that you can configure it in the config file. (My steps for windows)

Run touch .ssh/config if there isn’t config file in .ssh folder
Open config file

code:

Host xx.visualstudio.com
  IdentityFile /c/Users/xx/.ssh/id_vsts

Open new command line and run Git clone command

Another way is that, you can run ssh -i /path/to/id_rsa user@server.nixcraft.com command.

More information, you can refer to this article: Force SSH Client To Use Given Private Key (identity file)

Excellent! ssh -v was the key to figuring out what was going on. — maulik13, Jan 26 '18 at 09:11

score 0 · Answer 3 · answered Jun 24 '20 at 08:03

Apparently git uses only the first key provided, if that fails, git clone fails. My ssh config had a wildcard option with a key matching before the git key and therefore it did not work. After moving the git configuration to the top of .sss/config all is fine.

`ssh -T` to VSTS(Azure Devops) authenticates successfully, but `git clone` fails

3 Answers3

Linked