GitLab Shell feature list

Discover

Allows users to identify themselves on an instance with SSH. The command helps to confirm quickly whether a user has SSH access to the instance:

ssh git@<hostname>

PTY allocation request failed on channel 0
Welcome to GitLab, @username!
Connection to staging.gitlab.com closed.

When permission is denied, it returns:

ssh git@<hostname>
git@<hostname>: Permission denied (publickey).

Git operations

GitLab Shell provides support for Git operations over SSH by processing git-upload-pack, git-receive-pack and git-upload-archive SSH commands. It limits the set of commands to predefined Git commands:

  • git archive
  • git clone
  • git pull
  • git push

Generate new 2FA recovery codes

Enables users to generate new 2FA recovery codes:

$ ssh git@<hostname> 2fa_recovery_codes

Are you sure you want to generate new two-factor recovery codes?
Any existing recovery codes you saved will be invalidated. (yes/no)
yes

Your two-factor authentication recovery codes are:
...

Verify 2FA OTP

Allows users to verify their 2FA one-time password (OTP):

$ ssh git@<hostname> 2fa_verify

OTP: 347419

OTP validation failed.

LFS authentication

Enables users to generate credentials for LFS authentication:

$ ssh git@<hostname> git-lfs-authenticate <project-path> <upload/download>

{"header":{"Authorization":"Basic ..."},"href":"https://gitlab.com/user/project.git/info/lfs","expires_in":7200}

Personal access token

Enables users to use personal access tokens with SSH:

$ ssh git@<hostname> personal_access_token <name> <scope1[,scope2,...]> [ttl_days]

Token:   glpat-...
Scopes:  api
Expires: 2022-02-05

Configuration options

Administrators can control PAT generation with SSH. To configure PAT settings in GitLab Shell:

  1. Edit the /etc/gitlab/gitlab.rb file.

  2. Add or modify the following configuration:

    gitlab_shell['pat'] = { enabled: true, allowed_scopes: [] }
    • enabled: Set to true to enable PAT generation using SSH, or false to disable it.
    • allowed_scopes: An array of scopes allowed for PATs generated with SSH. Leave empty ([]) to allow all scopes.

  3. Save the file and Restart GitLab.

  1. Edit the values.yaml file:

    gitlab:
  gitlab-shell:
    config:
      pat:
        enabled: true
        allowedScopes: []
    • enabled: Set to true to enable PAT generation using SSH, or false to disable it.
    • allowedScopes: An array of scopes allowed for PATs generated with SSH. Leave empty ([]) to allow all

  2. Save the file and apply the new values:

    helm upgrade -f gitlab_values.yaml gitlab gitlab/gitlab

  1. Edit the docker-compose.yaml file:

    services:
  gitlab:
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        gitlab_shell['pat'] = { enabled: true, allowed_scopes: [] }
    • enabled: Set to 'true' to enable PAT generation using SSH, or 'false' to disable it.
    • allowed_scopes: A comma-separated list of scopes allowed for PATs generated with SSH. Leave empty ([]) to allow all scopes.

  2. Save the file and restart GitLab and its services:

    docker compose up -d

  1. Edit the /home/git/gitlab-shell/config.yml file:

    pat:
  enabled: true
  allowed_scopes: []
    • enabled: Set to true to enable PAT generation using SSH, or false to disable it.
    • allowed_scopes: An array of scopes allowed for PATs generated with SSH. Leave empty ([]) to allow all scopes.

  2. Save the file and restart GitLab Shell:

    # For systems running systemd
sudo systemctl restart gitlab-shell.target

# For systems running SysV init
sudo service gitlab-shell restart

These settings only affect PAT generation with SSH and do not impact PATs created through the web interface.