GitLab Integration

You can use PrivX to authenticate git commands toward GitLab.

High-level setup steps include:

Configuring GitLab to accept certificate authentication from PrivX.
Enabling bastion connections via ProxyCommand, for providing automatic authentication against PrivX.
Adding GitLab as a connection target to PrivX.

To enable certificate authentication from PrivX to GitLab:

Set up GitLab to accept certificate authentication from PrivX. To do this, configure the following on your GitLab server:
- Configure the server to accept certificate-authentication requests. To do this, add the following Match block to the OpenSSH-server configuration (typically at /etc/ssh/sshd_config):
```
Match User git
    TrustedUserCAKeys /etc/ssh/privx_ca.pub
    AuthorizedPrincipalsCommandUser root
    AuthorizedPrincipalsCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-principals-check %i PrivXUsers
```
- Set the PrivX CA certificate as a trusted CA key:
  To obtain the PrivX CA certificate, go to the PrivX GUI Administration→Deployment→Deploy and Configure SSH target hosts, then select Configure manually, and copy the PrivX CA certificate from step 5 on that page. Then save the certificate to /etc/ssh/privx_ca.pubon your GitLab Server.
Restart the GitLab Server's OpenSSH server to apply these changes.
Add a new PrivX role to provide GitLab access to users. To do this, go to the PrivX GUI Administration→Roles and click Add Role.
For all PrivX users who need access to GitLab:
- Add the user to the new role.
- Enable the user to connect via PrivX SSH Bastion using ProxyCommand, as described in Connecting Directly Using ProxyCommand.
Add your GitLab host as a connection target. To do this, go to the PrivX GUI at Administration→Hosts and click Add Host.
Enter your GitLab-host address and host key. For the Certificate template, choose GitLab:
Add an account to the host, with the following criteria:
- Account type: Explicit.
- Username: git.
- Password: Leave empty to use certificate authentication.
- Roles: Add your GitLab role.
Save the host.

Test that the SSH connection via PrivX works:

ssh git@gitlab.example.com

The command should result in output similar to the following:

PTY allocation request failed on channel 0
Welcome to GitLab, @jdoe!
Connection to gitlab.example.com closed.

Start using Git:

git clone git@gitlab.example.com:test-project/testrepo.git

The default GitLab certificate template in PrivX uses windows username for GitLab authentication. For more information about customizing certificate templates, see SSH Certificate Templates.