Configuring GitLab access through PrivX SSH certificate authentication

The default method for configuring GitLab for git access is by users uploading their public keys through the Gitlab web user interface and managing the corresponding private keys on their workstations or laptops. After the key has been configured, git uses SSH as the transport mechanism to perform actions on the repository.

Having static, user defined keys is problematic from the security point of view.

Not to worry, GitLab CE & EE editions support OpenSSH certificate authentication out of the box!

With the help of PrivX Agent and a bit of scripting, we can make Gitlab command line repository access completely dynamic and zero trust!

Prerequisites:

  • Gitlab installation on a server with OpenSSH
  • Admin access to the Gitlab server shell
  • A PrivX installation
  • PrivX Agent on the workstation
  • PrivX user’s username MUST match the Gitlab username

Setting up:

  1. Create a role in PrivX which is to be granted to users for GitLab access (in this example “gitlab-users”)
  2. Grant relevant users the role membership
  3. Configure the Gitlab server’s SSH daemon to trust the PrivX CA either manually or by using a deployment script. The deployment script can be downloaded from the PrivX admin console from Deployment / SSH Target Host Configuration

Deployment script run example:

python deploy.py --standalone --principals git=gitlab-users
  1. Create a new script, “principals_command_gitlab.sh” with contents
#!/bin/sh                                                                                                                      

user=${1%@*}
principals=$(tr '\n' ' ' </etc/ssh/gitlab_principals)

if test -z "$user"; then
    exit 0
fi

if test -z "$principals"; then
    exit 0
fi

echo "command=\"/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell username-$user\",no-port-forwarding,no-X11-forwardi\
ng,no-agent-forwarding,no-pty $principals"

exit 0
  1. Modify sshd_config to run the new script
TrustedUserCAKeys /etc/ssh/privx_ca.pub
AuthorizedPrincipalsCommand /etc/ssh/principals_command_gitlab.sh %u
  1. Run
chown root:root /etc/ssh/principals_command_gitlab.sh
chmod 0755 /etc/ssh/principals_command_gitlab.sh
  1. Add the “gitlab-users” role UUID to “/etc/ssh/gitlab_principals” file. The role UUID can be found from the PrivX admin console: Deployment / SSH Target Host Configuration / Configure Manually

Usage on the Git developer/contributor workstation:

  1. Install PrivX Agent & git
  2. Login to PrivX using the agent
privx-agent-ctl server probe https://your.privx.server
privx-agent-ctl server set https://your.privx.server
privx-agent-ctl login user
  1. Set up ~/.gitconfig as you normally would
  2. There should be no need to alter ~/.ssh/config
  3. Verify that the access works, you should be able to access projects / repositories your user has been granted access to in the GitLab

More information:
https://docs.gitlab.com/ee/administration/operations/ssh_certificates.html


Did this page help you?