Setting up Azure Git SSH Proxy

GIST: https://gist.github.com/das-peter/2ca849ed7c9029a258711b634efd252a

Why

Currently Microsoft Azure Git seems to lack support for SHA-2.
And as of Open SSH 8.8 support for less secure algorithms have has been disabled by default.
More inforamtion about the lack of SHA-2 in Azure Git:

• https://developercommunity.visualstudio.com/t/Missing-Support-of-SHA-2-algorithm-for-O/1562711
• https://developercommunity.visualstudio.com/t/Git-SSH-access-offers-weak-algorithms-r/1547526

Now if you don't have full access to whatever system runs Open SSH >=8.8 you're between a rock and a hard place.
Azure isn't likely to move, but why should the other party move and enable less secure algorithms?

For us the only alternative to get a quick solution was to configure a dedicated SSH proxy on one of our existing servers.
The SSH proxy will accept connections from Open SSH >=8.8 systems and forward them to azure using a less secure algorithm that keeps Azure happy.
 

How

You need to create a dedicated a proxy user on a server where you've full control over the ssh service.
In following scenario we used the username azure.

It is assumed that you already have a key-pair for the Azure account you'd like to use to access Azure git.
 

Creating Azure User:

sudo useradd -m azure
sudo mkdir /home/azure/.ssh/

sudo echo "Host ssh.dev.azure.com" >> /home/azure/.ssh/config
sudo echo "HostkeyAlgorithms +ssh-rsa" >> /home/azure/.ssh/config
sudo echo "#PubkeyAcceptedAlgorithms +ssh-rsa" >> /home/azure/.ssh/config
sudo echo "#HostkeyAlgorithms +ssh-rsa" >> /home/azure/.ssh/config
sudo echo "User git" >> /home/azure/.ssh/config
sudo echo "IdentityFile /home/azure/.ssh/id_azure" >> /home/azure/.ssh/config

!! Enable PubkeyAcceptedAlgorithms / HostkeyAlgorithms if you run OpenSSH >=8.8 (use `ssh -V` to check version)
This will enable the less secure algorithm required for Azure.
!! Add the private key from your Azure account to: `/home/azure/.ssh/id_azure`
 

Test connection:

sudo runuser -u azure -- ssh -v ssh.dev.azure.com

Check for "debug1: Authentication succeeded (publickey)."
Followup error(s) like "shell request failed on channel 0" are fine.

Allow Lagoon access to the azure user.

sudo chown azure:azure /home/azure
sudo touch /home/azure/.ssh/known_hosts
sudo touch /home/azure/.ssh/authorized_keys
sudo chmod 644 /home/azure/.ssh/*
sudo chmod 400 /home/azure/.ssh/id_azure

!! Add the public key of lagoon to `/home/azure/.ssh/authorized_keys`:

sudo echo "ssh-ed25519 [VERY-ELLIPTIC-MUCH-SECURE] Lagoon-Key" >> /home/azure/.ssh/authorized_keys

Configure SSHD to force ssh forwarding to ssh.dev.azure.com for user azure.

sudo echo "" >> /etc/ssh/sshd_config
sudo echo "" >> /etc/ssh/sshd_config
sudo echo "Match User azure" >> /etc/ssh/sshd_config
sudo echo "  ForceCommand ssh -t ssh.dev.azure.com \$SSH_ORIGINAL_COMMAND" >> /etc/ssh/sshd_config
sudo systemctl restart ssh.service

Now you should be able to execute following command locally - given your local public key was also added to `/home/azure/.ssh/authorized_keys`:

git clone azure@[YOUR_SERVER_HOSTNAME]:v3/MY-VERY/OWN/GIT-REPO-PATH