You can use PrivX to authenticate
git commands toward GitLab.
High-level setup steps include:
- Configuring GitLab to accept certificate authentication from PrivX.
- Enabling bastion connections via ProxyCommand, for providing automatic authentication against PrivX.
- Adding GitLab as a connection target to PrivX.
To enable certificate authentication from PrivX to GitLab:
Set up GitLab to accept certificate authentication from PrivX. To do this, configure the following on your GitLab server:
Configure the server to accept certificate-authentication requests. To do this, add the following
Matchblock to the OpenSSH-server configuration (typically at
Match User git TrustedUserCAKeys /etc/ssh/privx_ca.pub AuthorizedPrincipalsCommandUser root AuthorizedPrincipalsCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-principals-check %i PrivXUsers
Set the PrivX CA certificate as a trusted CA key:
To obtain the PrivX CA certificate, go to the PrivX GUI Administration→Deployment→Deploy and Configure SSH target hosts, then select Configure manually, and copy the PrivX CA certificate from step 5 on that page. Then save the certificate to
/etc/ssh/privx_ca.pubon your GitLab Server.
Restart the GitLab Server's OpenSSH server to apply these changes.
Add a new PrivX role to provide GitLab access to users. To do this, go to the PrivX GUI Administration→Roles and click Add Role.
For all PrivX users who need access to GitLab:
Add the user to the new role.
Enable the user to connect via PrivX SSH Bastion using ProxyCommand, as described in Connecting Directly Using ProxyCommand.
Add your GitLab host as a connection target. To do this, go to the PrivX GUI at Administration→Hosts and click Add Host.
Enter your GitLab-host address and host key. For the Certificate template, choose GitLab:
Add an account to the host, with the following criteria:
- Account type: Explicit.
- Password: Leave empty to use certificate authentication.
- Roles: Add your GitLab role.
Save the host.
Test that the SSH connection via PrivX works:
The command should result in output similar to the following:
PTY allocation request failed on channel 0 Welcome to GitLab, @jdoe! Connection to gitlab.example.com closed.
Start using Git:
git clone [email protected]:test-project/testrepo.git
The default GitLab certificate template in PrivX uses windows username for GitLab authentication. For more information about customizing certificate templates, see SSH Certificate Templates.
Updated over 2 years ago