Git on WSL over SSH to Azure DevOps fails with "Permission denied (password,publickey)."

Question

I am trying to clone one of our repositories but I always get prompted for the password of {myco}@vs-ssh.visualstudio.com's password. My environment is WSL, Pengwin (essentially Debian), latest git. The content of ~/.ssh:

-rw------- 1 val val  738 Dec  2 21:09 authorized_keys
-rwx------ 1 val val  562 Mar 28 20:21 config*
-r-------- 1 val val  399 Mar 28 17:42 id_ed25519
-r-------- 1 val val   93 Mar 28 17:42 id_ed25519.pub
-r-------- 1 val val 1.8K Mar 28 17:42 id_rsa
-r-------- 1 val val 1.8K Mar 28 20:04 id_rsa_ado
-r-------- 1 val val  393 Mar 28 20:04 id_rsa_ado.pub
-r-------- 1 val val  394 Mar 28 17:42 id_rsa.pub
-rw-r--r-- 1 val val 3.9K Mar 10 11:20 known_hosts

On Azure DevOps:

Name id_rsa_ado.pub
Fingerprint 39:03:4b:6e:4b:3b:92:6c:c9:c0:f5:c2:b6:bc:8c:da

On my machine:

❯ ssh-keygen -l -E md5 -f ~/.ssh/id_rsa_ado
2048 MD5:39:03:4b:6e:4b:3b:92:6c:c9:c0:f5:c2:b6:bc:8c:da Val Melamed (RSA)

The contents of ~/.ssh/config:

CanonicalizeHostname yes

Host github.com
  HostName github.com
  IdentityFile ~/.ssh/id_ed25519

Host vs-ssh.visualstudio.com
  HostName vs-ssh.visualstudio.com
  User {myco}
  IdentityFile ~/.ssh/id_rsa_ado

Host vs-ssh.visualstudio.com
  HostName vs-ssh.visualstudio.com
  User {myco}
  IdentityFile ~/.ssh/id_rsa_ado

Host *
  User git
  ForwardAgent yes
  AddKeysToAgent yes
  LogLevel FATAL
  ServerAliveInterval 300
  TCPKeepAlive no
  IdentitiesOnly yes

Note that above for the user, I tried both "git" and "{myco}" with the same results.

The SSH test passes:

❯ ssh -Tv {myco}@vs-ssh.visualstudio.com
OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1n  15 Mar 2022
debug1: Reading configuration data /home/val/.ssh/config
debug1: /home/val/.ssh/config line 7: Applying options for vs-ssh.visualstudio.com
debug1: /home/val/.ssh/config line 12: Applying options for vs-ssh.visualstudio.com
debug1: /home/val/.ssh/config line 17: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: hostname canonicalisation enabled, will re-parse configuration
debug1: re-parsing configuration
debug1: Reading configuration data /home/val/.ssh/config
debug1: /home/val/.ssh/config line 7: Applying options for vs-ssh.visualstudio.com
debug1: /home/val/.ssh/config line 12: Applying options for vs-ssh.visualstudio.com
debug1: /home/val/.ssh/config line 17: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to vs-ssh.visualstudio.com [20.41.6.12] port 22.
debug1: Connection established.
debug1: identity file /home/val/.ssh/id_rsa_ado type 0
debug1: identity file /home/val/.ssh/id_rsa_ado-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5
debug1: Remote protocol version 2.0, remote software version SSHBlackbox.10
debug1: no match: SSHBlackbox.10
debug1: Authenticating to vs-ssh.visualstudio.com:22 as 'thycotic'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa SHA256:ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og
debug1: Host 'vs-ssh.visualstudio.com' is known and matches the RSA host key.
debug1: Found key in /home/val/.ssh/known_hosts:12
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/val/.ssh/id_rsa_ado RSA SHA256:lxYw6Y7pOlaF68Hwovn7xiQrT7DKZjEuZFR3AnlZW7Q explicit agent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/val/.ssh/id_rsa_ado RSA SHA256:lxYw6Y7pOlaF68Hwovn7xiQrT7DKZjEuZFR3AnlZW7Q explicit agent
debug1: Server accepts key: /home/val/.ssh/id_rsa_ado RSA SHA256:lxYw6Y7pOlaF68Hwovn7xiQrT7DKZjEuZFR3AnlZW7Q explicit agent
debug1: Authentication succeeded (publickey).
Authenticated to vs-ssh.visualstudio.com ([20.41.6.12]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: Requesting authentication agent forwarding.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
remote: Shell access is not supported.
shell request failed on channel 0

And clone fails:

❯ sudo git clone {myco}@vs-ssh.visualstudio.com:v3/{myco}/{project}/{repo}
Cloning into '{repo}'...
{myco}@vs-ssh.visualstudio.com's password:
Permission denied, please try again.
{myco}@vs-ssh.visualstudio.com's password:
Permission denied, please try again.
{myco}@vs-ssh.visualstudio.com's password:
{myco}@vs-ssh.visualstudio.com: Permission denied (password,publickey).
fatal: Could not read from remote repository.

The things in {} braces are of course placeholders for my company, project, and repository.

All this used to work, then it stopped with the above behavior. Tried many things, generated a new key (above) but no dice... Is someone seeing what am I missing or doing wrong?

Answer 1

I removed the sudo in front of the git clone and that fixed it.