SSH setup

SSH is a secure shell that allows direct access to the command prompt. With the proper configuration, you can use SSH to connect to servers enrolled in Advanced Server Access by entering the command ssh <hostname>

Use ProxyCommand with Advanced Server Access

OpenSSH ProxyCommand is the recommended method of using SSH with Advanced Server Access. It requires configuring the local SSH client, which then lets you use normal SSH workflows with Advanced Server Access.

To configure the SSH client, run sft ssh-config

This command outputs an SSH configuration block. Append this block to your SSH configuration file (usually ~/.ssh/config). You can append the configuration to your file in one step by using the command sft ssh-config >> ~/.ssh/config

Now running sft login opens an Advanced Server Access session. This authorizes your SSH client to request credentials and query metadata from the Advanced Server Access server inventory.

Advanced Server Access may encounter issues when using ProxyCommand on Windows devices if the client is installed in a directory that includes a space in the name. This happens if the client was installed system-wide, or installed by a user with a space in their username.

To resolve this issue, edit the .ssh/config file to include the 8.3 formatted path where the client is installed. For example if the client was installed at C:\Program Files (x86)\Scaleft\sft.exe, users would add C:\PROGRA~2\ScaleFT\sft.exe to .ssh/config file. Users can identify the 8.3 directory name with the dir /x command.

Use sft ssh

In environments where OpenSSH ProxyCommand is not available, sft ssh can be used instead. This command can be helpful when testing new configurations in Advanced Server Access, since you can easily pass Advanced Server Access-specific arguments to it, such as --via

You connect to a server by running sft ssh <hostname> For example, to connect to, you'd use the command sft ssh

You can see a list of available servers by running the command sft list-servers

Use Advanced Server Access with SSH bastions

There are many environments where you can't reach hosts directly, but instead must traverse through a bastion or gateway host. Advanced Server Access makes it easy and secure to use bastions.

Advanced Server Access transparently enables SSH best practices for traversing bastion hops securely. Every connection between your SSH client and the target host, including bastion connections, is end-to-end encrypted, mutually authenticated, and authorized with ephemeral client certificates.

You can add a bastion hop by passing the --via command line option to sft ssh. For example, to add as a bastion hop to, you'd enter the command: sft ssh --via

Bastions can be configured to be used consistently by configuring the agent on the target host. When a bastion is specified in an agent's sftd.yaml configuration file, (for example, Bastion:, the bastion will always be used when users connect to that server.

See Configure and use the Advanced Server Access agent.

For example, if you specify a bastion in the configuration file of the Advanced Server Access agent on, then the bastion will always be used when you use the command ssh

Related topics