Authentication

Helix TeamHub supports two authentication types: SSH key authentication and password-based authentication.

SSH Key Authentication

SSH key authentication can be used when accessing repositories. This authentication type will always use a SSH key pair to authenticate an account. Helix TeamHub accounts may have multiple SSH keys, but a single SSH key is unique within a TeamHub instance. The same key cannot be shared along accounts even if they are from different companies.

Note

If TeamHub is set up with Helix authentication, adding an SSH key through the TeamHub UI automatically updates the pubkey table in the Helix server schema.

See also OpenSSH and repository SSH access.

Password-Based Authentication

Password-based authentication can be used when accessing TeamHub data from repositories, APIs, or the user interface. TeamHub can be configured to use one of the three (Built-in, LDAP, Built-in + LDAP, or Helix) supported password authentication methods. The effects of the first 3 methods for Helix TeamHub accounts are listed below. For the effects of Helix, see Helix authentication.

User and Collaborator Accounts

Built-In LDAP Built-In + LDAP Use Case
New accounts can sign up by logging in using LDAP password and email or accountID.
New accounts can be added to Helix TeamHub from LDAP by email or accountID.
New accounts outside of LDAP can be added to Helix TeamHub by email.
New accounts will receive a registration email to set the initial password.
New accounts will receive a welcome email.
Only accounts found from LDAP can be added to Helix TeamHub.
Accounts can login with local password and email or accountID.
Accounts can login with LDAP password and email or accountID.
Accounts can use password recovery unless password is synchronized.

Collaborator Accounts without LDAP Support

When LDAP authentication is also enabled for collaborator accounts, they will behave the same way as normal users regarding authentication (see listing above). When LDAP authentication is disabled for collaborators, the following listing is applicable instead.

Built In LDAP Built-in + LDAP Use Case
New collaborators can be added to Helix TeamHub by email.
New collaborators will receive a registration email to set the initial password.
Collaborators can login with local password and email or accountID.
Collaborators can use password recovery unless password is synchronized.

Bot Accounts

Bot accounts will always use local password regardless of the authentication method.

Built In LDAP Built-in + LDAP Use Case
Can access repositories using local password and accountID.

Instance Admin Accounts

Users with admin privileges can always use local password to login to Helix TeamHub Admin.

Built In LDAP Built-in + LDAP Use Case
Can login to Helix TeamHub Admin using local password and email or accountID.
Can login to Helix TeamHub Admin using LDAP password and email or accountID.
Can use password recovery.

Password expiration

You can configure passwords for built-in authentication to expire a certain number of days after the last password change. You turn on this feature by defining password_expire_days via configuration flags. Helix TeamHub sends out an email notification and displays a notification in the UI when the password is close to expiration. To configure how far in advance TeamHub notifies users of the password expiration, set the password_expire_notify flag.

When you enable the feature for the first time, the last changed timestamp is set for accounts and the expiration period starts. Changing the password resets the period for the account. If you do not change the password before the expiration period ends, you can use the forgot password feature to request a link to the account's email to reset the password. Password expiration only affects users and collaborators; passwords do not expire for bots.

Company admins can disable password expiration for an account in the Account Details view. This is recommended for service accounts that are used with integrations and whose passwords are managed separately.

Preventing password reuse

You can prevent password reuse for built-in authentication by defining password_expire_count via configuration flags. This setting controls how many old passwords are prevented from being used again. This setting only affects users and collaborators.