GitLab Integration

You can use PrivX to authenticate git commands toward GitLab.

High-level setup steps include:

To enable certificate authentication from PrivX to GitLab:

  1. Set up GitLab to accept certificate authentication from PrivX. To do this, configure the following on your GitLab server:

    • Configure the server to accept certificate-authentication requests. To do this, add the following Match block to the OpenSSH-server configuration (typically at /etc/ssh/sshd_config):

      Match User git
          TrustedUserCAKeys /etc/ssh/
          AuthorizedPrincipalsCommandUser root
          AuthorizedPrincipalsCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-principals-check %i PrivXUsers
    • Set the PrivX CA certificate as a trusted CA key:

      To obtain the PrivX CA certificate, go to the PrivX GUI Administration→Deployment→Deploy and Configure SSH target hosts, then select Configure manually, and copy the PrivX CA certificate from step 5 on that page. Then save the certificate to /etc/ssh/privx_ca.pubon your GitLab Server.

    Restart the GitLab Server's OpenSSH server to apply these changes.

  2. Add a new PrivX role to provide GitLab access to users. To do this, go to the PrivX GUI Administration→Roles and click Add Role.

  3. For all PrivX users who need access to GitLab:

  4. Add your GitLab host as a connection target. To do this, go to the PrivX GUI at Administration→Hosts and click Add Host.

    Enter your GitLab-host address and host key. For the Certificate template, choose GitLab:

    Add an account to the host, with the following criteria:

    • Account type: Explicit.
    • Username: git.
    • Password: Leave empty to use certificate authentication.
    • Roles: Add your GitLab role.

    Save the host.

  5. Test that the SSH connection via PrivX works:


    The command should result in output similar to the following:

    PTY allocation request failed on channel 0
    Welcome to GitLab, @jdoe!
    Connection to closed.

    Start using Git:

    git clone

The default GitLab certificate template in PrivX uses windows username for GitLab authentication. For more information about customizing certificate templates, see SSH Certificate Templates.

Was this page helpful?