Skip to content

GitLab Shell feature list

Discover

Allows users to identify themselves on an instance with SSH. The command helps to confirm quickly whether a user has SSH access to the instance:

ssh git@<hostname>

PTY allocation request failed on channel 0
Welcome to GitLab, @username!
Connection to staging.gitlab.com closed.

When permission is denied, it returns:

ssh git@<hostname>
git@<hostname>: Permission denied (publickey).

Git operations

GitLab Shell provides support for Git operations over SSH by processing git-upload-pack, git-receive-pack and git-upload-archive SSH commands. It limits the set of commands to predefined Git commands:

  • git archive
  • git clone
  • git pull
  • git push

Generate new 2FA recovery codes

Enables users to generate new 2FA recovery codes:

$ ssh git@<hostname> 2fa_recovery_codes

Are you sure you want to generate new two-factor recovery codes?
Any existing recovery codes you saved will be invalidated. (yes/no)
yes

Your two-factor authentication recovery codes are:
...

Verify 2FA OTP

Allows users to verify their 2FA one-time password (OTP):

$ ssh git@<hostname> 2fa_verify

OTP: 347419

OTP validation failed.

LFS authentication

Enables users to generate credentials for LFS authentication:

$ ssh git@<hostname> git-lfs-authenticate <project-path> <upload/download>

{"header":{"Authorization":"Basic ..."},"href":"https://gitlab.com/user/project.git/info/lfs","expires_in":7200}

Personal access token

Enables users to use personal access tokens with SSH:

$ ssh git@<hostname> personal_access_token <name> <scope1[,scope2,...]> [ttl_days]

Token:   glpat-...
Scopes:  api
Expires: 2022-02-05

Configuration options

Administrators can control PAT generation with SSH. To configure PAT settings in GitLab Shell:

::Tabs

:::TabTitle Linux package (Omnibus)

  1. Edit the /etc/gitlab/gitlab.rb file.

  2. Add or modify the following configuration:

    gitlab_shell['pat'] = { enabled: true, allowed_scopes: [] }
    • enabled: Set to true to enable PAT generation using SSH, or false to disable it.
    • allowed_scopes: An array of scopes allowed for PATs generated with SSH. Leave empty ([]) to allow all scopes.
  3. Save the file and Restart GitLab.

:::TabTitle Helm chart (Kubernetes)

  1. Edit the values.yaml file:

    gitlab:
      gitlab-shell:
        config:
          pat:
            enabled: true
            allowedScopes: []
    • enabled: Set to true to enable PAT generation using SSH, or false to disable it.
    • allowedScopes: An array of scopes allowed for PATs generated with SSH. Leave empty ([]) to allow all
  2. Save the file and apply the new values:

    helm upgrade -f gitlab_values.yaml gitlab gitlab/gitlab

:::TabTitle Docker

  1. Edit the docker-compose.yaml file:

    services:
      gitlab:
        environment:
          GITLAB_OMNIBUS_CONFIG: |
            gitlab_shell['pat'] = { enabled: true, allowed_scopes: [] }
    • enabled: Set to 'true' to enable PAT generation using SSH, or 'false' to disable it.
    • allowed_scopes: A comma-separated list of scopes allowed for PATs generated with SSH. Leave empty ([]) to allow all scopes.
  2. Save the file and restart GitLab and its services:

    docker compose up -d

:::TabTitle Self-compiled (source)

  1. Edit the /home/git/gitlab-shell/config.yml file:

    pat:
      enabled: true
      allowed_scopes: []
    • enabled: Set to true to enable PAT generation using SSH, or false to disable it.
    • allowed_scopes: An array of scopes allowed for PATs generated with SSH. Leave empty ([]) to allow all scopes.
  2. Save the file and restart GitLab Shell:

    # For systems running systemd
    sudo systemctl restart gitlab-shell.target
    
    # For systems running SysV init
    sudo service gitlab-shell restart

::EndTabs

NOTE: These settings only affect PAT generation with SSH and do not impact PATs created through the web interface.