1

It is possible to clone a fresh repository created in Azure DevOps, without being prompted for a password or security token. For example, after creating the Repo, it is possible to clone the repository from the command line using:
https://username@dev.azure.com/organization-name/project-name/_git/repo-name

There was no prompt to authenticate on the desktop command line before cloning the repository. My concern is that anyone can guess URL strings and try to clone private repositories.

When choosing to clone a repository, I have created a password, and also created a personal access token, but still no prompt for any security on the command line.

What is the proper way to secure an Azure DevOps repository?

crayden
  • 1,574
  • 4
  • 22
  • 42

2 Answers2

0

Azure DevOps, like most Git hosting sites, provides both public and private repositories. A public repository will be accessible to anyone with the URL; a private repository will require authentication.

If you aren't seeing any authentication prompts, then it's possible your repository is public. If so, and you don't want it to be, you can view the repository overview in the web interface, click the pencil icon next to the name, and set the visibility to private.

It's also possible that the repository is already private, but you have credentials stored in your Git credential manager that let you have access to the repository and are therefore not prompted. At the Git Bash prompt, you can run GIT_TRACE=1 GIT_CURL_VERBOSE=1 git clone URL and you'll see whether an Authorization header is included. If so, you'll probably also see a call to git credential fill to fill the credentials from your credential store. In this case, there's nothing to worry about, since authentication is required, but you're authorized.

bk2204
  • 31,903
  • 3
  • 22
  • 39
0

If your repository was actually private, but you did not have any credential prompt, check the output of:

git config credential.helper

On Windows, for example, that would be your Windows Credentials Manager.
On MacOS, that would be your OSX KeyChain.

If "dev.azure.com" was stored in one of those credentials helpers, that would explain the lack of prompt when cloning a private repository.

VonC
  • 1,042,979
  • 435
  • 3,649
  • 4,283