Customize SSH configurations for clients

Okta Privileged Access allows SSH customization options for both Okta Privileged Access admins and their teams. Users can adjust how their client responds when attempting SSH connections, and admins can customize how their servers respond to clients initiating connections. Before beginning, make sure that you've installed the ScaleFT client and run the sft ssh-config command.

Client customization

Depending on your Okta Privileged Access client and your SSH configuration, you should see something like the following within your config file:

# To use ScaleFT proxycommand, add this configuration block to your $HOME/.ssh/config
Match exec "/usr/local/bin/sft resolve -q  %h"
ProxyCommand "/usr/local/bin/sft" proxycommand  %h
UserKnownHostsFile "/Users/Admin/Library/Application Support/ScaleFT/proxycommand_known_hosts"

Any paths provided are from a macOS perspective and use /Users/Admin/ as an example folder path. Paths on your machine may read differently.

Customization examples

  • Remove -q from sft resolve

    The -q option stands for quiet mode. It means that any errors or issues that occur while connecting to your target servers won't be displayed to the user or provoke a reaction from your client. This includes the scenario where you aren't logged in. In such events, the SSH command fails to find the host, and you won't be authorized to access the host inventory in Okta Privileged Access. Removing the -q option from the Match exec line in your config file causes your client to send a browser sign-in request to the platform after a failed SSH attempt.

  • Custom Match directives

    Customizing Match directives allow the user to control specific client behavior for each server within their team. Users can use a customized Match directive to identify potential target servers, and incorporate other customization options (such as removing -q) to allow their client to act when trying to connect to a specific server.

    For example, this is a Match block that could be added to your config file:

    Match Host *ubu* "/usr/local/bin/sft resolve -q  %h"
     ProxyCommand "/usr/local/bin/sft" proxycommand  %h
     UserKnownHostsFile "/Users/Admin/Library/Application Support/ScaleFT/proxycommand_known_hosts"

    This creates a scenario where any attempted connections to servers that have names containing the letters "ubu" will follow the rules listed in this Match block only.

  • Identify specific bastions to connect through

    Instead of configuring a bastion through the agent configuration file sftd.yaml, you can dynamically dictate to your client-specific bastions, which it needs to move through when attempting SSH connections. This is done through the --via command, which can be added to the ProxyCommand lines of your config file as such:

    ProxyCommand "/usr/local/bin/sft" proxycommand --via <bastion> %h

    Replace <bastion> with the name of your specific bastion.