File: features.md

package info (click to toggle)
gitlab 17.6.5-19
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 629,368 kB
  • sloc: ruby: 1,915,304; javascript: 557,307; sql: 60,639; xml: 6,509; sh: 4,567; makefile: 1,239; python: 406
file content (185 lines) | stat: -rw-r--r-- 4,638 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
 
---
stage: Create
group: Source Code
info: Any user with at least the Maintainer role can merge updates to this content. For details, see https://docs.gitlab.com/ee/development/development_processes.html#development-guidelines-review.
---

# GitLab Shell feature list

## Discover

Allows users to identify themselves on an instance with SSH. The command helps to
confirm quickly whether a user has SSH access to the instance:

```shell
ssh git@<hostname>

PTY allocation request failed on channel 0
Welcome to GitLab, @username!
Connection to staging.gitlab.com closed.
```

When permission is denied, it returns:

```shell
ssh git@<hostname>
git@<hostname>: Permission denied (publickey).
```

## Git operations

GitLab Shell provides support for Git operations over SSH by processing
`git-upload-pack`, `git-receive-pack` and `git-upload-archive` SSH commands.
It limits the set of commands to predefined Git commands:

- `git archive`
- `git clone`
- `git pull`
- `git push`

## Generate new 2FA recovery codes

Enables users to
[generate new 2FA recovery codes](../../user/profile/account/two_factor_authentication_troubleshooting.md#generate-new-recovery-codes-using-ssh):

```shell
$ ssh git@<hostname> 2fa_recovery_codes

Are you sure you want to generate new two-factor recovery codes?
Any existing recovery codes you saved will be invalidated. (yes/no)
yes

Your two-factor authentication recovery codes are:
...
```

## Verify 2FA OTP

Allows users to verify their
[2FA one-time password (OTP)](../../security/two_factor_authentication.md#2fa-for-git-over-ssh-operations):

```shell
$ ssh git@<hostname> 2fa_verify

OTP: 347419

OTP validation failed.
```

## LFS authentication

Enables users to generate credentials for LFS authentication:

```shell
$ ssh git@<hostname> git-lfs-authenticate <project-path> <upload/download>

{"header":{"Authorization":"Basic ..."},"href":"https://gitlab.com/user/project.git/info/lfs","expires_in":7200}
```

## Personal access token

Enables users to use personal access tokens with SSH:

```shell
$ ssh git@<hostname> personal_access_token <name> <scope1[,scope2,...]> [ttl_days]

Token:   glpat-...
Scopes:  api
Expires: 2022-02-05
```

### Configuration options

Administrators can control PAT generation with SSH.
To configure PAT settings in GitLab Shell:

::Tabs

:::TabTitle Linux package (Omnibus)

1. Edit the `/etc/gitlab/gitlab.rb` file.
1. Add or modify the following configuration:

   ```ruby
   gitlab_shell['pat'] = { enabled: true, allowed_scopes: [] }
   ```

   - `enabled`: Set to `true` to enable PAT generation using SSH, or `false` to disable it.
   - `allowed_scopes`: An array of scopes allowed for PATs generated with SSH.
     Leave empty (`[]`) to allow all scopes.

1. Save the file and [Restart GitLab](../../administration/restart_gitlab.md).

:::TabTitle Helm chart (Kubernetes)

1. Edit the `values.yaml` file:

   ```yaml
   gitlab:
     gitlab-shell:
       config:
         pat:
           enabled: true
           allowedScopes: []
   ```

   - `enabled`: Set to `true` to enable PAT generation using SSH, or `false` to disable it.
   - `allowedScopes`: An array of scopes allowed for PATs generated with SSH.
     Leave empty (`[]`) to allow all

1. Save the file and apply the new values:

   ```shell
   helm upgrade -f gitlab_values.yaml gitlab gitlab/gitlab
   ```

:::TabTitle Docker

1. Edit the `docker-compose.yaml` file:

   ```yaml
   services:
     gitlab:
       environment:
         GITLAB_OMNIBUS_CONFIG: |
           gitlab_shell['pat'] = { enabled: true, allowed_scopes: [] }
   ```

   - `enabled`: Set to `'true'` to enable PAT generation using SSH, or `'false'` to disable it.
   - `allowed_scopes`: A comma-separated list of scopes allowed for PATs generated with SSH. Leave empty (`[]`) to allow all scopes.

1. Save the file and restart GitLab and its services:

   ```shell
   docker compose up -d
   ```

:::TabTitle Self-compiled (source)

1. Edit the `/home/git/gitlab-shell/config.yml` file:

   ```yaml
   pat:
     enabled: true
     allowed_scopes: []
   ```

   - `enabled`: Set to `true` to enable PAT generation using SSH, or `false` to disable it.
   - `allowed_scopes`: An array of scopes allowed for PATs generated with SSH.
      Leave empty (`[]`) to allow all scopes.

1. Save the file and restart GitLab Shell:

   ```shell
   # For systems running systemd
   sudo systemctl restart gitlab-shell.target

   # For systems running SysV init
   sudo service gitlab-shell restart
   ```

::EndTabs

NOTE:
These settings only affect PAT generation with SSH and do not
impact PATs created through the web interface.