@Isac
Good to know that the suggested answers was helpful.
So do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.
Disable Weak Cipher Protocols and Keys in Azure DevOps Server
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 51%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
Isac
0
Reputation points
What steps are needed to disable weak cipher protocols and keys, specifically the ssh-rsa cipher, in Azure DevOps Server? Attempts to remove the line HostkeyAlgorithms +ssh-rsa from the SSH config as specified by Microsoft have not resolved the issue, and ssh-rsa is still present. The server is running on Windows Server 2019.
Azure DevOps
{count} votes
-
Chiugo Okpala 1,920 Reputation points MVP2025-05-20T11:05:16.17+00:00 @Isac welcome to the Microsoft Q&A community.
Disabling weak cipher protocols and keys in Azure DevOps Server, especially ssh-rsa, can be a challenge. Since removing
HostkeyAlgorithms +ssh-rsafrom the SSH config hasn't worked, here are some alternative steps you can try:- Modify the Azure DevOps Configuration Database
- Connect to the Azure DevOps Configuration database and run the following query: sql
exec prc_SetRegistryValue 1, '#\Configuration\SshServer\KexInitOptions\kex_algorithms\', 'diffie-hellman-group-exchange-sha256' - This ensures that only stronger key exchange algorithms are used.
- Connect to the Azure DevOps Configuration database and run the following query: sql
- Disable CBC Ciphers (if needed)
- If CBC ciphers are also flagged as weak, you can run: sql
exec prc_SetRegistryValue 1, '#\Configuration\SshServer\KexInitOptions\encryption_algorithms\', 'aes128-ctr,aes256-ctr' - This forces the use of CTR-based encryption, which is more secure.
- If CBC ciphers are also flagged as weak, you can run: sql
- Use IIS Crypto (if applicable)
- Some users have reported success using IIS Crypto to disable weak ciphers on Windows Server.
- However, if IIS Crypto does not list the protocols you need to disable, you may need to use PowerShell.
- Check OpenSSH Configuration
- If Azure DevOps Server is using OpenSSH, ensure that the
sshd_configfile explicitly excludesssh-rsa. - You can try adding:
HostKeyAlgorithms -ssh-rsa - Restart the SSH service after making changes.
- If Azure DevOps Server is using OpenSSH, ensure that the
- Consult Microsoft Documentation & Community
- Microsoft Q&A and community forums have discussions on this issue.
- If none of the above solutions work, consider raising a support ticket with Microsoft.
I hope these helps. Let me know if you have any further questions or need additional assistance.
Also if these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.
- Modify the Azure DevOps Configuration Database
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2025-05-21T09:49:10.9+00:00 Hi Isac,
Following up to see if the above answer was helpful.
If this answers your query, do click Accept Answer and Upvote for was this answer helpful. And, if you have any further query do let us know.
Thank you.
-
Anonymous
2025-05-22T10:02:05.3766667+00:00 Hi Isac,
Following up to see if the above answer was helpful.
If this answers your query, do click Accept Answer and Upvote for was this answer helpful. And, if you have any further query do let us know.
Thank you.
-
Isac 0 Reputation points
2025-05-27T13:14:54.2+00:00 Thanks for the considaration. I´ll give a feedback as soon as I test it as I´m waiting for permition.
Sign in to comment
2 answers
Sort by: Most helpful
-
-
Isac 0 Reputation points
2025-07-17T06:33:07.2233333+00:00 Hi @Chiugo Okpala @Anonymous ,
Thank you very much for your support and for sharing the solution. It helped me successfully fix the vulnerability. I truly appreciate the time and effort you put into helping.