Disable Weak Cipher Protocols and Keys in Azure DevOps Server

Question

Disable Weak Cipher Protocols and Keys in Azure DevOps Server

Isac 0

What steps are needed to disable weak cipher protocols and keys, specifically the ssh-rsa cipher, in Azure DevOps Server? Attempts to remove the line HostkeyAlgorithms +ssh-rsa from the SSH config as specified by Microsoft have not resolved the issue, and ssh-rsa is still present. The server is running on Windows Server 2019.

Chiugo Okpala 1,905 Reputation points MVP

2025-05-20T11:05:16.17+00:00
@Isac welcome to the Microsoft Q&A community.

Disabling weak cipher protocols and keys in Azure DevOps Server, especially ssh-rsa, can be a challenge. Since removing HostkeyAlgorithms +ssh-rsa from the SSH config hasn't worked, here are some alternative steps you can try:

Modify the Azure DevOps Configuration Database

Connect to the Azure DevOps Configuration database and run the following query: sql
exec prc_SetRegistryValue 1, '#\Configuration\SshServer\KexInitOptions\kex_algorithms\', 'diffie-hellman-group-exchange-sha256'

This ensures that only stronger key exchange algorithms are used.

Disable CBC Ciphers (if needed)

If CBC ciphers are also flagged as weak, you can run: sql
exec prc_SetRegistryValue 1, '#\Configuration\SshServer\KexInitOptions\encryption_algorithms\', 'aes128-ctr,aes256-ctr'

This forces the use of CTR-based encryption, which is more secure.

Use IIS Crypto (if applicable)

Some users have reported success using IIS Crypto to disable weak ciphers on Windows Server.

However, if IIS Crypto does not list the protocols you need to disable, you may need to use PowerShell.

Check OpenSSH Configuration

If Azure DevOps Server is using OpenSSH, ensure that the sshd_config file explicitly excludes ssh-rsa.

You can try adding:
HostKeyAlgorithms -ssh-rsa

Restart the SSH service after making changes.

Consult Microsoft Documentation & Community

Microsoft Q&A and community forums have discussions on this issue.

If none of the above solutions work, consider raising a support ticket with Microsoft.

I hope these helps. Let me know if you have any further questions or need additional assistance.

Also if these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.
Siva Pavuluri 485 Reputation points Microsoft External Staff Moderator

2025-05-21T09:49:10.9+00:00

Hi Isac,

Following up to see if the above answer was helpful.

If this answers your query, do click Accept Answer and Upvote for was this answer helpful. And, if you have any further query do let us know.

Thank you.
Siva Pavuluri 485 Reputation points Microsoft External Staff Moderator

2025-05-22T10:02:05.3766667+00:00

Hi Isac,

Following up to see if the above answer was helpful.

If this answers your query, do click Accept Answer and Upvote for was this answer helpful. And, if you have any further query do let us know.

Thank you.
Isac 0 Reputation points

2025-05-27T13:14:54.2+00:00

Thanks for the considaration. I´ll give a feedback as soon as I test it as I´m waiting for permition.

Your answer

Chiugo Okpala 1,905 Reputation points MVP

2025-05-20T11:05:16.17+00:00

@Isac welcome to the Microsoft Q&A community.

Disabling weak cipher protocols and keys in Azure DevOps Server, especially ssh-rsa, can be a challenge. Since removing HostkeyAlgorithms +ssh-rsa from the SSH config hasn't worked, here are some alternative steps you can try:

Modify the Azure DevOps Configuration Database

Connect to the Azure DevOps Configuration database and run the following query: sql
exec prc_SetRegistryValue 1, '#\Configuration\SshServer\KexInitOptions\kex_algorithms\', 'diffie-hellman-group-exchange-sha256'

This ensures that only stronger key exchange algorithms are used.

Disable CBC Ciphers (if needed)

If CBC ciphers are also flagged as weak, you can run: sql
exec prc_SetRegistryValue 1, '#\Configuration\SshServer\KexInitOptions\encryption_algorithms\', 'aes128-ctr,aes256-ctr'

This forces the use of CTR-based encryption, which is more secure.

Use IIS Crypto (if applicable)

Some users have reported success using IIS Crypto to disable weak ciphers on Windows Server.

However, if IIS Crypto does not list the protocols you need to disable, you may need to use PowerShell.

Check OpenSSH Configuration

If Azure DevOps Server is using OpenSSH, ensure that the sshd_config file explicitly excludes ssh-rsa.

You can try adding:
HostKeyAlgorithms -ssh-rsa

Restart the SSH service after making changes.

Consult Microsoft Documentation & Community

Microsoft Q&A and community forums have discussions on this issue.

If none of the above solutions work, consider raising a support ticket with Microsoft.

I hope these helps. Let me know if you have any further questions or need additional assistance.

Also if these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.
Siva Pavuluri 485 Reputation points Microsoft External Staff Moderator

2025-05-21T09:49:10.9+00:00

Hi Isac,

Following up to see if the above answer was helpful.

If this answers your query, do click Accept Answer and Upvote for was this answer helpful. And, if you have any further query do let us know.

Thank you.
Siva Pavuluri 485 Reputation points Microsoft External Staff Moderator

2025-05-22T10:02:05.3766667+00:00

Hi Isac,

Following up to see if the above answer was helpful.

If this answers your query, do click Accept Answer and Upvote for was this answer helpful. And, if you have any further query do let us know.

Thank you.
Isac 0 Reputation points

2025-05-27T13:14:54.2+00:00

Thanks for the considaration. I´ll give a feedback as soon as I test it as I´m waiting for permition.

Share via

Disable Weak Cipher Protocols and Keys in Azure DevOps Server

Your answer