azureazure-devopsazure-pipelinesgit-submodulesazure-pipelines-yaml

Devops self hosted agent - submodule checkout SSH host key verification failed

I have installed Azure Devops self-hosted agent on Windows Server 2025, and I get an error when checking out repositories in pipelines. I'm using Azure Devops repositories.

I have followed the instructions od the InstallSSHKey@0 task but doesn't work for me.

  1. Execute ssh-keygen -t rsa-sha2-512 and I have private key and .pub (public key) file. Upload private key to securefiles and copy public key to sshPublicKey input in yml
  2. Execute ssh-keyscan ssh.dev.azure.com and copy value to yml pipeline in knownHostsEntry
  3. Also add public key to UserSettings > SSH Public Keys

In the log, I can see that "Install SSH Key" is executing correctly and the checkout is going well downloading the main repository, but it fails downloading submodules.

Cloning into 'C:/agent/_work/1/s/submodule'...
Host key verification
failed. fatal: Could not read from remote repository.

Here is my pipeline yml.

# Select self hosted agent
pool:
   name: Default
   demands: 
   - Agent.Name -equals Agent2-Windows

# InstallSSH Key and Checkout steps

- task: InstallSSHKey@0
  displayName: 'Install an SSH key'
  inputs:
    knownHostsEntry: |
       ssh.dev.azure.com ssh-rsa AAAAB3N.....
    sshPublicKey: |
      ssh-rsa AAAAB3N.... #Content of .pub file
    sshKeySecureFile: #private key uploaded to securefiles

- checkout: self
  displayName: Checkout
  fetchDepth: 1
  submodules: true
  clean: true
Solution

  • I have seen that InstallSSHKey@0 task doesn't work correctly when selft-hosted agent is running as NT AUTHORITY\NETWORK SERVICE user.

    So I have created new user and configured self-hosted agent to run as newly created user.

    Create User

    $pass = Read-Host -AsSecureString "Insert password"
New-LocalUser -Name "devops-agent-user" -Password $pass -FullName "Agente Azure DevOps" -Description "User for devops agent"
Add-LocalGroupMember -Group "Users" -Member "devops-agent-user"

    Configure Self-Hosted Agent using unattended mode

    .\config.cmd --unattended `
 --url https://dev.azure.com/COMPANY `
 --auth pat `
 --token <TOKEN> `
 --pool Default `
 --agent <AGENT_NAME> `
 --runAsService `
 --enableservicesidtypeunrestricted `
 --windowsLogonAccount ".\devops-agent-user" `
 --windowsLogonPassword "<USER_PASSWORD>"

    Followind this steps I have solved the problem and now checkout is working well including git submodules.