Using SSH to authenticate Git in Azure DevOps

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi and welcome to this video on how to use sh h key to log in onto your deviator.com account from git in the previous video i've show how simple it is to use the standard one of the standard git credential manager available on linux to cache your credential and to use as in windows standard personalized token to login to your device.com account but usually user experiences in linux are more familiar and more they like more the ssh key so i'm not going to explain the whole ssh structure but you got a nice um tutorial on various git provider like azure devops or or git github on how you can create an ssh key to login into your server an ssh key is a real secure way to connect to your account the first step is creating a couple of private public key in your account and that's a basic knowledge about public private public key cryptography you generate a key where one part of the key is called private and it's the key you need to keep secret in your account while you have another part of the key that is called public and that's the key you can distribute in your system and you can use your private key to verify that you indeed possess the private key corresponding to that public key with this process you can do a lot of things and ssh uses this method to authenticate you against a server without requiring you to use a password but using a private key so the first step is generating a private public couple of key you can use various option and here i'm using the errors a it is probably the the old type of key you use with ssh if you as an example go on github it's suggesting you to use a different algorithm but this is not important for this tutorial just stick with rsa with 4096 by bit length because it's really super secure and you just insert your email okay now the system is asking you where to save the key you can use you can leave the default and there is a dot ssh folder under your under your own folder and the key is usually called id underscore lsa you can just leave the default and then you are asking for a password and that's important because the private key is a file that has a key that corresponds to your identity if you get to lose that file you can you are in trouble because each person that has your private key can automatically login into every server where you configure ssh with your public key so it is usually a good idea to protect your local private key file with a password that is used to encrypt the file so the file the idress file that will be generated will be encrypted with a password and you will be asked for that password when you want to use the the key to access your server so please be sure to to use a password and resist the temptation of using an empty password okay once you created your password your private key you should have a couple of new files in your ssh folder and as you can see you have id rsa and idrsa.pub and that's the public key just let's look at what's inside in your public key okay it's a text file where i simply have an header ssh dash rsa that is containing the algorithm used to generate the key it's errors a and then the key so nothing complex now what can i do with this public key so first of all you can select everything copy the whole key it's just a bunch of ascii characters so it can be just copied go to your deviator.com account now i'm in the personal access token section but i need to go on the ssh public key and this is the place where i am storing my public key so as you can see i already have configured a wsl to account so i have already set um a key but the important thing is ssh connection is really much more secure because it allows you to authenticate not only you are authenticated to the server but you can check the fingerprint of the server and verify if it corresponds to what it's answering when you connect into the server so the idea is when you connect to the server not only you are sending your information to verify to let server verify that you are indeed who you claim you two are but you can also check the fingerprint of the server to understand that's no man in the middle that is trying to fooling you into authenticated on a server that is not your real server to add the key just press the new key give it a name and it's demo linux and you can just pass the public key data and press add it is simple if the format is okay and you didn't know any error you have your new public key and you always have the option of remove this ssh key if you don't want the private key to be able to authenticate to this account anymore so you can always revoke your key from a server and if you click on the key at the contrary on the contrary on a personal access token where you cannot see anymore your personal access token after it is generated and i want to demonstrate this you go to the personal access token and you can click but you have only the option to get a new token to revoke and if you had it you can just change the scope of the token there is no place where the server show you the token because the token is actually not saved on the server to maximum security you need to keep note of your generated token because the server does not have it anymore while in ssh public key i can always always see my public key because thanks to the public key cryptography this public key it's indeed public there's no secret about it the only particular aspect of this public key data is that is cryptographically bound to my private keys so i and only i that if the private key can verify that i indeed have a private key that correspond to this public key now there is one big difference in using an ssh key respect using the standard https way to connect to your server if you press clone you need to notice that i have the ssh option because a the url you're using to login it to to clone your repository is different because the client the git client need to understand that it this is indeed not in https connection but as ssh connection okay so you have the option to manage ssh case directly on the clone repository if you press this you are taking to the to your ssh key page the page where i was before you can press link to learn more about ssh but if you are a linux user you should be already experiencing ssh and i can just copy the url to clipboard to connect to my repository the process of cloning is almost identical i say get clone and the url but this time the url is different because it's an ssh url okay now that's the important part the first time you are connecting a server your ssh client tells you that someone respond on your request and you don't know the authenticity of host because it's the first time that this machine is connecting to the server so it is actually telling you that this is the fingerprint of the server that's important because before sending any authentication information again this server you can verify if this is indeed the real real sha-256 the real ash of your server so just go on to the manage ssh key and you have the fingerprint so you can take your terminal and verify if the key is the same so it's ohd eight vd blah blah blah blah you can copy and paste into a text editor to verify that it's sql but yeah that's the same fingerprint so now i am sure that no one is in in the middle between me and the server pretending to be this server and that is guaranteed by cryptographic api by a cryptographic math so there's no one else that can claim to have this fingerprint because to claim having this fingerprint the server should have the private key associated to this server and it's clear that the private key is in the microsoft hand because it's microsoft that handle devizure.com so if anyone else is capable of doing a man-in-the-middle connection and creating a fake server where it can it can intercept my push as an example and steal my code it is not able to do this because it should be able to match the fingerprint okay this happened only the first time you were looking for this server and that's because if you are in uh your dot ssh folder you see a file called known host so if you check what is inside known host it contains as an example one entry so i don't know what the the host is it's not important now but the idea is if you press epsilon to say yes you are telling your ssh client yes i confirm that this is the right fingerprint for the ssh.dev.azure.com so i you can proceed i trust this connection okay i'm sorry and now you are prompting you are prompted by a password to unlock your private key because as i told you before your private key should be protected by a password or if anyone is capable of of stealing from you your id rsa file it is able to login to any server that has your public key so now you are you are prompted to put a password to unlock your private key and you can flag this um this option to automatically lock this key when you're logging in depending how how secure you want to be i can just leave this and check it and type the password and you're ready to go as you see you just clone your repository and if you are present if you are viewing the known host content again you can see that you have other entries that corresponds to azure devops so this means that if i'm going to remove my log library sorry now if i'm going to clone again what i've got it i am not any more presented with the sha with the ash of the server because it's now in the no nos so this client contact the server he got the this fingerprint the correspond to the known host and it knows no one is in the middle the server that is answering is indeed azure dev.azure.com and now since my credential my password that is used to protect the private key it stored my keyring i am not required to type the password of my um of my private key anymore and if i'm going to reboot the machine the next time i'm logging in i will be prompt a new time with the password of the private key but you need to be um aware that this is a standard way of using credentials for ssh server for linux users so if you are a linux user you probably already have a private key you probably already have all your way to make your private keys secure and so there is no reason not to use ssh to connect to your azure devops account mainly because you have this extra security of being able to verify that the server is indeed who you claim to be and you are not subjected to men in the middle attack and that's all for this video i'm waiting you for the next video
Info
Channel: CodeWrecks
Views: 13,139
Rating: undefined out of 5
Keywords: Git, SSH
Id: kzLJna_aqIM
Channel Id: undefined
Length: 15min 22sec (922 seconds)
Published: Sat Mar 12 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.