Authentication
Helix TeamHub supports two authentication types: SSH key authentication and password-based authentication.
SSH key authentication
SSH key authentication can be used when accessing repositories. This authentication type will always use a SSH key pair to authenticate an account. Helix TeamHub accounts can have multiple SSH keys, but a single SSH key is unique within a TeamHub instance. The same key cannot be shared among accounts even if they are from different companies.
If TeamHub is set up with Helix authentication, adding an SSH key through the TeamHub UI automatically updates the pubkey
table in the Helix Server schema.
See also OpenSSH and repository SSH access.
Password-based authentication
Password-based authentication can be used when accessing TeamHub data from repositories, APIs, or the user interface.Built-in
, LDAP
, Built-in + LDAP
, or Helix
) supported password authentication methods. The effects of the first 3 methods for TeamHub accounts are listed below.Helix
, see Helix authentication.
User and collaborator accounts
Built-In | LDAP | Built-In + LDAP | Use Case |
---|---|---|---|
✓ | ✓ | New accounts can sign up by logging in using LDAP password and email or accountID. | |
✓ | ✓ | New accounts can be added to TeamHub from LDAP by email or accountID. | |
✓ | ✓ | New accounts outside of LDAP can be added to TeamHub by email. | |
✓ | ✓ | New accounts will receive a registration email to set the initial password. | |
✓ | New accounts will receive a welcome email. | ||
✓ | Only accounts found from LDAP can be added to TeamHub. | ||
✓ | ✓ | Accounts can log in with local password and email or accountID. | |
✓ | ✓ | Accounts can log in with LDAP password and email or accountID. | |
✓ | ✓ | Accounts can use password recovery unless password is synchronized. |
Collaborator accounts without LDAP support
When LDAP authentication is also enabled for collaborator accounts, they will behave the same way as normal users regarding authentication (see listing above). When LDAP authentication is disabled for collaborators, the following listing is applicable instead.
Built In | LDAP | Built-in + LDAP | Use Case |
---|---|---|---|
✓ | ✓ | ✓ | New collaborators can be added to TeamHub by email. |
✓ | ✓ | ✓ | New collaborators will receive a registration email to set the initial password. |
✓ | ✓ | ✓ | Collaborators can log in with local password and email or accountID. |
✓ | ✓ | ✓ | Collaborators can use password recovery unless password is synchronized. |
Bot accounts
Bot accounts will always use local password regardless of the authentication method.
Built In | LDAP | Built-in + LDAP | Use Case |
---|---|---|---|
✓ | ✓ | ✓ | Can access repositories using local password and accountID. |
Instance admin accounts
Users with admin privileges can always use local password to log in to TeamHub Admin.
Built In | LDAP | Built-in + LDAP | Use Case |
---|---|---|---|
✓ | ✓ | ✓ | Can log in to TeamHub Admin using local password and email or accountID. |
✓ | ✓ | Can log in to TeamHub Admin using LDAP password and email or accountID. | |
✓ | ✓ | ✓ | Can use password recovery. |
Password configuration
The following password settings are configured using the backend configuration flags.
Password expiration
Configure passwords for built-in authentication to expire a certain number of days after the last password change using the password_expire_days configuration flag.
The default value is 0 (zero), passwords never expire.
When you enable the feature for the first time, the last changed timestamp is set for accounts and the expiration period starts. Changing the password resets the period for the account. If you do not change the password before the expiration period ends, you can use the forgot password feature to request a link to the account's email to reset the password. Password expiration only affects users and collaborators; passwords do not expire for bots.
Company admins can disable password expiration for an account in the Account Details view. This is recommended for service accounts that are used with integrations and whose passwords are managed separately.
TeamHub sends out an email notification and displays a notification in the UI when the password is close to expiration. To configure how far in advance TeamHub notifies users of the password expiration, set the password_expire_notify flag.
Preventing password reuse
Prevent password reuse for built-in authentication with the password_expire_count flag. Sets the number of different passwords the user must set before they are allowed to reuse a password. This setting only affects users and collaborators.
The default value is 0 (zero), password reuse is allowed.
Password expiration notification
Enables TeamHub to send out an email notification and display a notification in the UI when a password is close to expiration. Set the number of days warning user's get with the password_expire_notify flag.
The default value is 7 days.
Password entropy
The password_validation_entropy configuration flag defines the minimum password entropy level required related to the email, short_name, first_name, last_name field values using the Levenshtein algorithm.
-
≤ 0 (zero): turns password entropy validation off. The default value is -1, password entropy validation off.
-
0 (zero): TeamHub only rejects the password if it is an exact match to one or more of the fields above.
-
≥ 0 (zero): defines the minimum threshold of similarity required for a password.
Password character requirements
The password_validation_format configuration flag defines the password format requirements for account password validation.
The default value is /(?=.*[[:upper:]])(?=.*[[:lower:]])(?=.*[[:digit:]]).*/, passwords must contain a minimum of one uppercase letter, one lowercase letter, and one digit.
To remove the requirement for a specific password validation format, set the password_validation_format configuration flag to /.*/
Password length requirements
The password_validation_range configuration flag defines the minimum and maximum length for account password validation.
The default value is 8..100, passwords must be a minimum or 8 and maximum of 100 characters.