Create a PAM module that enforce GitLab 2FA over GIT SSH

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Problem

There's customer demand to add support for 2FA over the command (for example https://fortinet.com), including 2FA support on command line for SSH. We should prioritize self-managed.

Proposal

Create a GitLab Pluggable Authentication Module (PAM) to enforce GitLab 2FA behaviour, this module should exchange info with GitLab API about the user and if the user is using 2FA should ask for the token and exchange with the GitLab API for validation

Questions

PAM are usually delivered as .SO (Dynamic Library Objects), and the are usually developed on C/C++ or Python, we can check what are the options nowadays maybe Golang is now even an option

Spike: sarcila/gitlab-shell!1

Edited Jul 05, 2025 by 🤖 GitLab Bot 🤖