Configure and use the Advanced Server Access server agent

This topic provides a guide on how to configure and use the Advanced Server Access server agent.

Command line options

    --conf: Provide an alternative configuration file path.

    --debug-device-info: Prints detected device information to stderr and then exits.

    -h, --help: Displays help.

    -v, --version: Displays version.

    --syslog: Force syslog logging.

Configuration file

You can control the operation of the Advanced Server Access server agent through the use of a configuration file (sftd.yaml). On startup, the agent configures itself using the settings outlined in the configuration file. You must manually create the configuration file at the location specified in the Files and Paths section below.

If this file hasn't been created or is unavailable, sftd uses the following default configuration:

--- # Common Configuration Options: # # AccessAddress is unset by default AutoEnroll: true # Bastion is unset by default # CanonicalName is unset by default # InitialURL is unset by default

Common Configuration Options

Option Default value Description
AccessAddress unset For hosts with multiple interfaces or behind DNATs, this specifies the address that clients use to connect to this host.
AccessInterface unset For hosts with specific public IP address associated with a known interface, this option specifies the interface that clients negotiate connections with while connecting to the host.


AccessInterface: eth0

AltNames unset A list of alternatives hostnames for this server. These names can be used as target names for sft ssh.


AltNames: ["web01", ""]

AutoEnroll true This option is either true or false. When set to true, sftd attempts to automatically enroll with Advanced Server Access on initial startup.
Bastion unset Specifies the bastion host clients will automatically use when connecting to this host.
CanonicalName unset Specifies the name that clients should use/see when connecting to this host. This overrides the name that's returned by the hostname command.
InitialURL unset When AutoEnroll is set to true, this option specifies the InitialURL that the server can use to auto-enroll. When an enrollment token is provided by EnrollmentTokenFile, this option is ignored.

Note: This option is only used by legacy installations not hosted by Advanced Server Access instances.



Traditionally, clients initiate SSH connections on port 22 of a host. This option lets admins specify a different port for clients to use when negotiating SSH connections.


SSHDPort: 4022


Additional Configuration Options


Default value


LogLevel INFO This option controls the logging verbosity level. Valid values are:
  • WARN
  • INFO

You can also manually set the verbosity level to DEBUG by running sftd --debug, which overrides any value set in the config file.

BrokerAccessPort 4421 This option sets the port that clients use to connect to the Advanced Server Access broker process on this host.
BrokerListenHost unset This option sets the IP address of a specific interface on the host for the Advanced Server Access broker process to listen on. By default, the process listens on all interfaces.
BrokerListenPort 4421 This option sets the port for the Advanced Server Access broker to listen on.
BufferFile /var/lib/sftd/buffer.db This sets the path prefix to the file(s) that sftd uses for its local buffer store. Individual buffer file names consist of the path prefix, followed by a period and an incremental number (for example, buffer.db.1). Buffer files that have been synchronized will be automatically removed.
DisableBroker unset Advanced Server Access automatically runs an access broker process that listens on port 4421. On Windows, the access broker is responsible for proxying RDP connections and is required for users to be able to successfully RDP to their team's Windows server. For Linux hosts, access broker processes are only required when they're configured in Advanced Server Access to create users on demand.

Set DisableBroker to true to have the agent not run an access broker process.

Note: Disabling the access broker process is not recommended on Windows. See Windows Internals.

EnrollmentTokenFile /var/lib/sftd/enrollment.token This sets the path to a file that contains a secret token for token-based enrollment. This file is deleted after a successful enrollment to the platform.
ForwardProxy none

This is a URL to an HTTP CONNECT proxy that sftd will use for outbound network connectivity to the Advanced Server Access platform. Alternatively, the HTTPS_PROXY environment variable can be used to configure this proxy.



ServerFile /var/lib/sftd/device.server This is the path to the file that sftd uses to store the URL of the server that it will connect to.
SSHDConfigFile /etc/ssh/sshd_config This is the path to the sshd configuration file.

Note: sftd will modify this file.

TokenFile /var/lib/sftd/device.token This is the path to the file that sftd uses to store its secret token for authentication to Advanced Server Access.



This is the path that sftd writes its list of trusted SSH certificate authorities to.

Files and Paths

This section provides the locations of important files and paths in Linux and Windows that are used by Advanced Server Access.


sftd on Linux runs under the root user. Paths follow the Linux Standard Base specifications when applicable.


  • State directory: /var/lib/sftd

  • Configuration file: /etc/sft/sftd.yaml

    Note: You must manually create the directory and configuration file.

  • Log directory: sftd uses the system logger when available

    Note: Log files are rotated after 5MB and only the 10 most recent log files are kept.

  • Enrollment token: /var/lib/sftd/enrollment.token

  • Disable Autostart /etc/sftd/disable-autostart

    By default, the scaleft-server-tools packages on Red Hat- and Debian-derived distributions will automatically start sftd after installation. In most circumstances, this causes the agent to automatically enroll in , create local users, and remove the enrollment token from disk.

    If a disable-autostart file exists at the time of installation, the packages will not automatically start the agent. This can be useful when building OS images using a tool like Packer. Under these circumstances, it is typically preferable to remove the disable-autostart file once the package has been installed.


On Windows, the Advanced Server Access agent runs under the LocalSystem account.

%LOCALAPPDIR% is the default prefix for all filesystem paths.


  • State directory: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft

  • Configuration file: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\sftd.yaml

    Note: You must manually create the configuration file.

  • Log directory: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\Logs

    Note: Log files are rotated after 5MB and only the 10 most recent log files are kept.

  • Enrollment token: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\enrollment.token

Environment variables

sftd reads the following variables when starting:

  • SFT_DEBUG: Prints additional debugging to stderr when set.

Warning: Moving a server between projects will cause the new project to take over user and group synchronization, which may result in changes to local user names, UIDs or other attributes on the server. This will not remove the existing local users or groups from the original project, but any orphaned users will no longer be accessible using Advanced Server Access, with the exception of established SSH connections (which are not terminated).

Related topics

Verify server enrollment

Deploy cloud servers