Sourcetree Azure Devops

  1. Azure Devops Git Authentication
  2. Sourcetree Azure Devops Insufficient Authentication Credentials

Sourcetree for Windows; SRCTREEWIN-12500; Unable to add Azure DevOps Remote Account using SourceTree 3.1.3.

It would be excellent to have Optional extended integration configuration available for Azure DevOps to aid with our (and many others') workflow.To be able to create PRs from SourceTree for DevOps would be a huge time saver. Azure DevOps Repos with Sourcetree – Adding working authentication How to fix authentication in Sourcetree with Azure Repos You will try, and think you are not successful, but you are really near from it! Follow with me: I am using SourceTree for Windows version 3.2.6.

-->

Azure DevOps Services Azure DevOps Server 2020 Azure DevOps Server 2019 TFS 2018 - TFS 2017

A personal access token (PAT) is used as an alternate password to authenticate into Azure DevOps. Learn how to create, use, modify, and revoke PATs for Azure DevOps.

If you're working within Microsoft tools, then your Microsoft account (MSA) or Azure Active Directory (Azure AD) is an acceptable and well-supported approach. But, if you're working with third-party tools that don't support Microsoft or Azure AD accounts – or you don't want to provide your primary credentials to the tool – you can make use of PATs to limit your risk.

PATs are easy to create when you need them and easy to revoke when you don’t. To set up PATs for non-Microsoft tools, use Git credential managers or create them manually. We recommend that you review our authentication guidance to help you choose the correct authentication mechanism. For smaller projects that require a less robust solution, PATs are a simple alternative. Unless your users are using a credential manager, they have to enter their credentials each time.

You can create and manage your PATs through one of two ways:

From Sourcetree, click the Branch button. Depending on whether you have a Git or Mercurial repository, you see a different popup for creating a new branch. From the New Branch or Create a new branch field, enter wish-list for the name of your branch. Click Create Branch or OK. From Sourcetree, click the Show in Finder button. The directory on. The goal of this article is to guide users to generate and load SSH keys into SourceTree using PuTTY. To generate an SSH Key, select Tools Create or Import SSH Keys. This window should pop up: 2. Click Generate, and move the mouse randomly until a key is generated: 3. A public key and a private key should appear.

  • the user interface in your user settings, which is described in detail below, and
  • through the PAT Lifecycle Management API.

Create a PAT

Note

To enable the new user interface for the New account manager page, see Manage or enable features.

  1. Sign in to your organization in Azure DevOps (https://dev.azure.com/{yourorganization})

  2. From your home page, open your user settings, and then select Personal access tokens.

  3. And then select + New Token.

  4. Name your token, select the organization where you want to use the token, and then choose a lifespan for your token.

  5. Select the scopesfor this token to authorize for your specific tasks.

    For example, to create a token to enable a build and release agent to authenticate to Azure DevOps Services,limit your token's scope to Agent Pools (Read & manage). To read audit log events, and manage and delete streams, select Read Audit Log, and then select Create.

  6. When you're done, make sure to copy the token. For your security, it won't be shown again. Use this token as your password.

  1. Sign in to your organization in Azure DevOps (https://dev.azure.com/{yourorganization})

  2. From your home page, open your profile. 1900 utc to est conversion. Go to your security details.

  3. Select + New Token.

  4. Name your token, select the organization where you want to use the token, and then choose a lifespan for your token.

  5. Select the scopesfor this token to authorize for your specific tasks.

    For example, to create a token to enable a build and release agent to authenticate to Azure DevOps Services,limit your token's scope to Agent Pools (Read & manage), and then select Create.

  6. When you're done, make sure to copy the token. For your security, it won't be shown again. Use this token as your password.

  1. Sign in to your web portal (https://{server}:8080/tfs/).

  2. From your home page, open your profile. Go to your security details.

  3. Create a personal access token.

  4. Name your token. Select a lifespan for your token.

    If you have more than one organization,you can also select the organization where you want to use the token.

  5. Select the scopesfor this token to authorize for your specific tasks.

    For example, to create a token to enable a build and release agent to authenticate,limit your token's scope to Agent Pools (read, manage).

  6. When you're done, make sure to copy the token. For your security, it won't be shown again. Use this token as your password. Select Close.

Once your PAT is created, you can use it anywhere your user credentials are required for authentication in Azure DevOps.

Notifications

Users receive two notifications during the lifetime of a PAT - one upon creation and the other seven days before the expiration.

After you create a PAT, you receive a notification similar to the following example.

Seven days before your PAT expires, you receive a notification similar to the following example.

Unexpected notification

If you receive an unexpected PAT notification, an administrator or tool might have created a PAT on your behalf. See the following examples.

  • When you connect to an Azure DevOps Git repo through git.exe. it creates a token with a display name like 'git: https://MyOrganization.visualstudio.com/ on MyMachine.'
  • When you or an administrator sets up an Azure App Service web app deployment, it creates a token with a display name like 'Service Hooks: : Azure App Service: : Deploy web app.'
  • When you or an administrator sets up web load testing, as part of a pipeline, it creates a token with a display name like 'WebAppLoadTestCDIntToken'.
  • When a Microsoft Teams Integration Messaging Extension is set up, it creates a token with a display name like 'Microsoft Teams Integration'.

If you believe that a PAT exists in error, we suggest that you revoke the PAT. Then, change your password. As an Azure AD user, check with your administrator to see if your organization was used from an unknown source or location. See also the FAQ about accidentally checking in a PAT to a public GitHub repository.

Use a PAT

Your token is your identity and represents you when it's used. Treat and use a PAT like your password.

  1. Git interactions require a username, which can be anything except the empty string.The PAT is used as the password.Additionally, you have to Base64-encode the username and PAT to use it with HTTP basic authentication.On Linux or macOS, in Bash, you can enter:

On Windows, you can do something similar in PowerShell:

To keep your token more secure, use credential managers so you don't have to enter your credentials every time. We recommend the following credential manager:

  • Git Credential Manager Core (Windows also requires Git for Windows)

Use a PAT in your code

See the following sample that gets a list of builds using curl.


If you wish to provide the PAT through an HTTP header, first convert it to a Base64 string (the following example shows how to convert to Base64 using C#). The resulting string can then be provided as an HTTP header in the following format:
Authorization: Basic BASE64_USERNAME_PAT_STRING
Here it is in C# using the HttpClient class.


Tip

When you're using variables, add a '$' at the beginning of the string, like in the following example.

When your code is working, it's a good time to switch from basic auth to OAuth.

If you enable IIS Basic Authentication for TFS, PATs aren't valid. For more information, see Using IIS Basic Authentication with TFS on-premises.

For more examples of how to use PATs, see Git credential managers, REST APIs, NuGet on a Mac, Reporting clients, or Get started with Azure DevOps CLI.

Modify a PAT

You can regenerate or extend a PAT, and modify its scope.

Note

To enable the new user interface for the New account manager page, see Manage or enable features.

  1. From your home page, open your user settings, and then select Profile.

  2. Under Security, select Personal access tokens. Select the token for which you want to modify, and then select Edit.

  3. Edit the token name, organization it applies to, token expiration, or the scope of access that's associated with the token, and then select Save.

  1. From your home page, open your profile. Go to Security details.

  2. Select the token for which you want to modify, and then select Edit.

  3. Edit the token name, organization it applies to, token expiration, or the scope of access that's associated with the token, and then select Save.

Revoke a PAT

You can revoke a PAT at any time, for various reasons.

Note

To enable the new user interface for the New account manager page, see Manage or enable features.

  1. From your home page, open your user settings, and then select Profile.

  2. Under Security, select Personal access tokens. Select the token for which you want to revoke access, and then select Revoke.

  3. Select Revoke in the confirmation dialog.

  1. From your home page, open your profile. Go to Security details.

  2. Select the token for which you want to revoke access, and then select Revoke.

  3. Select Revoke in the confirmation dialog.

Related articles

FAQs

Q: Is there a way to renew a PAT via REST API?

A: Yes, there is a way to renew, manage, and create PATs using our PAT Lifecycle Management APIs. Read more about renewing/regenerating/rotating PATs in our FAQ.

Q: Can I use basic auth with all of Azure DevOps REST APIs?

A: No. You can use basic auth with most of them, but organizations and profiles only support OAuth.

Q: What happens if I accidentally check my PAT into a public repository on GitHub?

A: Azure DevOps scans for PATs checked into public repositories on GitHub. When a leaked token is discovered, we immediately send a detailed email notification to the token owner and log an event to your Azure DevOps organization's audit log. We encourage impacted users to mitigate immediately by rotating or revoking the leaked PAT.

-->

Azure DevOps Services Azure DevOps Server 2020 Azure DevOps Server 2019 TFS 2018 - TFS 2015

Azure

Connect to your Git repos through SSH on macOS, Linux, or Windows to securely connect using HTTPS authentication. On Windows, we recommended the use of Git Credential Manager Core or Personal Access Tokens.

Important

Devops

SSH URLs have changed, but old SSH URLs will continue to work. If you have already set up SSH, you should update your remote URLs to the new format:

  • Verify which remotes are using SSH by running git remote -v in your Git client.
  • Visit your repository on the web and select the Clone button in the upper right.
  • Select SSH and copy the new SSH URL.
  • In your Git client, run: git remote set-url <remote name, e.g. origin> <new SSH URL>. Alternatively, in Visual Studio, go to Repository Settings, and edit your remotes.

Note

As of Visual Studio 2017, SSH can be used to connect to Azure DevOps Git repos.

How SSH key authentication works

SSH public key authentication works with an asymmetric pair of generated encryption keys. The public key is shared with Azure DevOps and used to verify the initial ssh connection. The private key is kept safe and secure on your system.

Set up SSH key authentication

The following steps cover configuration of SSH key authentication on the following platforms:

  • Linux
  • macOS running at least Leopard (10.5)
  • Windows systems running Git for Windows

Configure SSH using the command line. bash is the common shell on Linux and macOS and the Git for Windows installation adds a shortcut to Git Bash in the Start menu.Other shell environments will work, but are not covered in this article.

Step 1: Create your SSH keys

Note

If you have already created SSH keys on your system, skip this step and go to configuring SSH keys.

The commands here will let you create new default SSH keys, overwriting existing default keys. Before continuing, check your~/.ssh folder (for example, /home/jamal/.ssh or C:Usersjamal.ssh) and look for the following files:

  • id_rsa
  • id_rsa.pub

If these files exist, then you have already created SSH keys. You can overwrite the keys with the following commands, or skip this step and go to configuring SSH keys to reuse these keys.

Create your SSH keys with the ssh-keygen command from the bash prompt. This command will create a 3072-bit RSA key for use with SSH. You can give a passphrasefor your private key when prompted—this passphrase provides another layer of security for your private key.If you give a passphrase, be sure to configure the SSH agent to cache your passphrase so you don't have to enter it every time you connect.

This command produces the two keys needed for SSH authentication: your private key ( id_rsa ) and the public key ( id_rsa.pub ). It is important to never share the contents of your private key. If the private key iscompromised, attackers can use it to trick servers into thinking the connection is coming from you.

Step 2: Add the public key to Azure DevOps Services/TFS

Associate the public key generated in the previous step with your user ID.

  1. Open your security settings by browsing to the web portal and selecting your avatar in the upper right of theuser interface. Select SSH public keys in the menu that appears.

  2. Select + New Key.

  3. Copy the contents of the public key (for example, id_rsa.pub) that you generated into the Public Key Data field.

    Important

    Avoid adding whitespace or new lines into the Key Data field, as they can cause Azure DevOps Services to use an invalid public key. When pasting in the key, a newline often is added at the end. Be sure to remove this newline if it occurs.

  4. Give the key a useful description (this description will be displayed on the SSH public keys page for your profile) so that you can remember it later. Select Save to store the public key.Once saved, you cannot change the key. You can delete the key or create a new entry for another key. There are no restrictions on how many keys you can add to your user profile. Also note that SSH keys stored in Azure DevOps expire after five years. If your key expires, you may upload a new key or the same one to continue accessing Azure DevOps via SSH.

  5. Test the connection by running the following command: ssh -T [email protected].If everything is working correctly, you'll receive a response which says: remote: Shell access is not supported.If not, see the section on Questions and troubleshooting.

Step 2: Add the public key to Azure DevOps

Associate the public key generated in the previous step with your user ID.

  1. Open your security settings by browsing to the web portal and selecting your avatar in the upper right of theuser interface. Select Security in the menu that appears.

  2. Select + New Key.

  3. Copy the contents of the public key (for example, id_rsa.pub) that you generated into the Public Key Data field.

    Important

    Avoid adding whitespace or new lines into the Key Data field, as they can cause Azure DevOps Services to use an invalid public key. When pasting in the key, a newline often is added at the end. Be sure to remove this newline if it occurs.

  4. Give the key a useful description (this description will be displayed on the SSH public keys page for your profile) so that you can remember it later. Select Save to store the public key. Once saved, you cannot change the key. You can delete the key or create a new entry for another key. There are no restrictions on how many keys you can add to your user profile.

  5. Test the connection by running the following command: ssh -T [email protected].If everything is working correctly, you'll receive a response which says: remote: Shell access is not supported.If not, see the section on Questions and troubleshooting.

Step 3: Clone the Git repository with SSH

Note

To connect with SSH from an existing cloned repo, see updating your remotes to SSH.

  1. Copy the SSH clone URL from the web portal. In this example, the SSL clone URL is for a repo in an organization named fabrikam-fiber, as indicated by the first part of the URL after dev.azure.com.

    Note

    Project URLs have changed with the release of Azure DevOps Services and now have the format dev.azure.com/{your organization}/{your project}, but you can still use the existing visualstudio.com format. For more information, see Visual Studio Team Services is now Azure DevOps Services.

  2. Run git clone from the command prompt.

SSH may display the server's SSH fingerprint and ask you to verify it.You should verify that the displayed fingerprint matches one of the fingerprints in the SSH public keys page.

SSH displays this fingerprint when it connects to an unknown host to protect you from man-in-the-middle attacks.Once you accept the host's fingerprint, SSH will not prompt you again unless the fingerprint changes.

When you are asked if you want to continue connecting, type yes. Git will clone the repo and set up the origin remote to connect with SSH for future Git commands.

Tip

To prevent problems, Windows users should run a command to have Git reuse their SSH key passphrase.

Questions and troubleshooting

Sourcetree Azure Devops

Q: After running git clone, I get the following error. What should I do?

A: Manually record the SSH key by running:ssh-keyscan -t rsa domain.com >> ~/.ssh/known_hosts

Q: How can I have Git remember the passphrase for my key on Windows?

A: Run the following command included in Git for Windows to start up the ssh-agent process in PowerShell or the Windows Command Prompt. ssh-agent will cacheyour passphrase so you don't have to provide it every time you connect to your repo.

If you're using the Bash shell (including Git Bash), start ssh-agent with:

Q: I use PuTTY as my SSH client and generated my keys with PuTTYgen. Can I use these keys with Azure DevOps Services?

A: Yes. Load the private key with PuTTYgen, go to Conversions menu and select Export OpenSSH key.Save the private key file and then follow the steps to set up non-default keys.Copy your public key directly from the PuTTYgen window and paste into the Key Data field in your security settings.

Q: How can I verify that the public key I uploaded is the same key as I have locally?

A: You can verify the fingerprint of the public key uploaded with the one displayed in your profile through the following ssh-keygen command run against your public key usingthe bash command line. You will need to change the path and the public key filename if you are not using the defaults.

You can then compare the MD5 signature to the one in your profile. This check is useful if you have connection problems or have concerns about incorrectlypasting in the public key into the Key Data field when adding the key to Azure DevOps Services.

Q: How can I start using SSH in a repository where I am currently using HTTPS?

A: You'll need to update the origin remote in Git to change over from a HTTPS to SSH URL. Once you have the SSH clone URL, run the following command:

You can now run any Git command that connects to origin.

Q: I'm using Git LFS with Azure DevOps Services and I get errors when pulling files tracked by Git LFS.

A: Azure DevOps Services currently doesn't support LFS over SSH. Use HTTPS to connect to repos with Git LFS tracked files.

Q: How can I use a non-default key location, i.e. not ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub?

A: To use keys created with ssh-keygen in a different place than the default, perform these two tasks:

  1. The keys must be in a folder that only you can read or edit. If the folder has wider permissions, SSH will not use the keys.
  2. You must let SSH know the location of the keys. You make SSH aware of keys through the ssh-add command, providing the full path to the private key.

On Windows, before running ssh-add, you will need to run the following command from included in Git for Windows:

This command runs in both PowerShell and the Command Prompt. If you are using Git Bash, the command you need to use is:

Sourcetree Azure Devops

You can find ssh-add as part of the Git for Windows distribution and also run it in any shell environment on Windows.

On macOS and Linux you also must have ssh-agent running before running ssh-add, but the command environment on these platforms usuallytakes care of starting ssh-agent for you.

Q: I have multiple SSH keys. How do I use different SSH keys for different SSH servers or repos?

A: Generally, if you configure multiple keys for an SSH client and connect to an SSH server, the client can try the keys one at a time until the server accepts one.

However, this doesn't work with Azure DevOps for technical reasons related to the SSH protocol and how our Git SSH URLs are structured. Azure DevOps will blindly accept the first key that the client provides during authentication. If that key is invalid for the requested repo, the request will fail with the following error:

For Azure DevOps, you'll need to configure SSH to explicitly use a specific key file. One way to do this to edit your ~/.ssh/config file (for example, /home/jamal/.ssh or C:Usersjamal.ssh) as follows:

Q: How do I fix errors that mention 'no matching key exchange method found'?

A: Git for Windows 2.25.1 shipped with a new version of OpenSSH which removed some key exchange protocols by default.Specifically, diffie-hellman-group14-sha1 has been identified as problematic for some Azure DevOps Server and TFS customers.You can work around the problem by adding the following to your SSH configuration (~/.ssh/config):

Replace <your-azure-devops-host> with the hostname of your Azure DevOps or TFS server, like tfs.mycompany.com.

Q: What notifications may I receive about my SSH keys?

A: Whenever you register a new SSH Key with Azure DevOps Services, you will receive an email notification informing you that a new SSH key has been added to your account.

Azure Devops Git Authentication

Q: What do I do if I believe that someone other than me is adding SSH keys on my account?

A: If you receive a notification of an SSH key being registered and you did not manually upload it to the service, your credentials may have been compromised.

The next step would be to investigate whether or not your password has been compromised. Changing your password is always a good first step to defend against this attack vector. If you’re an Azure Active Directory user, talk with your administrator to check if your account was used from an unknown source/location.

Q: What do I do if I'm still prompted for my password and GIT_SSH_COMMAND='ssh -v' git fetch shows no mutual signature algorithm?

A: Some Linux distributions, such as Fedora Linux, have crypto policies that require stronger SSH signature algorithms than Azure DevOps supports (as of January 2021). There's an open feature request to add this support.

You can work around the issue by adding the following code to your SSH configuration (~/.ssh/config):

Sourcetree Azure Devops Insufficient Authentication Credentials

Replace ssh.dev.azure.com with the correct host name if you use Azure DevOps Server.