Use the Advanced Server Access client
Every Advanced Server Access client command uses the syntax:
sft [global options] command [command options] [arguments...]
Global options
You can use the following options with any client command:
- -h, --help: Display help.
- -v, --version: Display version.
- --config-file: Provide alternative configuration file path.
- --account: Use the specified account.
- --team: Use the specified team.
- --instance: Use the specified instance of the Advanced Server Access platform.
Client commands
sft config
Gets and sets sft configuration options. See Configuration.
sft dash
Opens your team's dashboard in your browser.
sft device-info
Shows your client's device info as JSON.
sft enroll
Adds your new client to your clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. inventory on the Advanced Server Access platform.
sft list-accounts
Lists the accounts that this client is configured to use.
Options:
- --columns A comma-delimited list of lowercase column names to display in default output.
- -l, --selector A selector (label query) to filter on. See Selectors.
- --output [format], -o [format] The output format, which must be one of: default, json, or describe.
Examples:
sft list-accounts -o json
sft list-accounts --columns account,id
sft list-accounts -l account=teamname --columns id,username
sft list-servers
Lists servers available in the current team.
Options:
- --columns: comma-delimited list of lowercase column names to print, only used for default output format
- -l, --selector: Selector (label query) to filter on. See Selectors.
- --output [format], -o [format] The output format must be one of: default, json, or describe
Examples:
sft list-servers -l os_type=windows
sft list-servers -l os_type=windows,project_name=Demo
sft list-servers -l os_type=windows --columns id,hostname
sft list-servers -l os_type=linux -o json
sft login
If logged out of your client's current team, creates a new session, authenticating with your team's identity provider.
An active, authorized client session allows the Advanced Server Access client to request credentials in the background as needed.
sft logout
Logs out from current session.
sft proxycommand
Used with OpenSSH ProxyCommand to enable transparent use of sft with ssh, scp, rsync, ftp, and so on.
Options:
- --config Deprecated in favor of sft ssh-config.
- --via, --bastion The SSH bastion host to use to connect to the target.
sft rdp
Connects over RDP to a target passed as an argument.
Options:
- --via, --bastion The SSH bastion host to use to connect to the target.
sft resolve
Resolves a single server matching the hostname or instance-details specified.
sft ssh
Connects over SSH to a target passed as an argument.
Generally, Advanced Server Access works with ssh using OpenSSH ProxyCommand integration. The sft ssh command is provided for ssh support in environments or contexts where OpenSSH is not available, or for times when you may want to explicitly pass Advanced Server Access-specific options such as --via.
Options:
- --via, --bastion: The SSH bastion host to use to connect to the target.
- --command: The command to execute over SSH.
- -L: Support local port-forwarding as OpenSSH does.
- -R: Support remote port-forwarding as OpenSSH does.
sft ssh-config
Prints an OpenSSH configuration block suitable for use in your ~/.ssh/config file which will enable your local ssh binary to use Advanced Server Access authentication. This SSH configuration will be used only when your client has a currently active and authorized session.
Options:
- --via, --bastion: SSH bastion host to use to connect to the target.
sft unenroll
Removes the currently active client from your client inventory in the Advanced Server Access platform.
Options:
- --all: Unenroll all local clients.
sft use
Sets an enrolled team as the current default for use in your current session.
sft help
Shows a list of commands or help for one command.
Selectors
- -l, --selector: The selector (label query) to filter on.
Commands that take a selector as an optional argument can filter their results based on an arbitrary selector query.
Selector syntax is based on Kubernetes label queries. See Labels and Selectors.
Example:
sft list-servers -l os_type=windows,project_name=Demo
The example uses a selector to filter the list of servers you have access to. It returns a list of Windows servers that are enrolled in the Demo project.
Configure the client
You can view or set configuration options with the sft config command.
No configuration file exists when the Advanced Server Access client is installed. The configuration file is created when you set your first configuration option.
Default settings are used until you explicitly set a configuration value. The defaults provided for the Advanced Server Access client are intended to provide the most security and ease of use for the most common situations. Aside from personal preferences, such as the setting for rdp.screensize, you may not need to set any client configurations at all.
Advanced Server Access client configurations are grouped into sections. Currently these sections include rdp, ssh, ssh_agent, service_auth, and update.
View your configuration
- sft config: Display your current configurations.
- sft config [section.key]: View the current value of a specific configuration indicated by section.key
Set a configuration value
You can set a configuration value with the command syntax: sft config [section.key] [value].
RDP configuration options
|
Key |
Description |
Examples |
|---|---|---|
| rdp.screensize | Set this to a string value, such as 1024x768, that describes your preferred RDP window size. |
sft config rdp.screensize 800x600 sft config rdp.screensize 1024x768 |
| rdp.fullscreen | Set this to true to have RDP sessions open in fullscreen mode. When set to true, the value of rdp.screensize is ignored. |
sft config rdp.fullscreen true sft config rdp.fullscreen false |
SSH configuration options
|
Key |
Description |
Examples |
|---|---|---|
| ssh.save_privatekey_passwords | If set to true, the Advanced Server Access client stores any passphrases entered by the user in the workstation's local cryptographic store. |
sft config ssh.save_privatekey_passwords true sft config ssh.save_privatekey_passwords false |
| ssh.port_forward_method | Set this to netcat to have Advanced Server Access remotely execute netcat (nc) as a means of port forwarding, rather than using the default native SSH port forwarding. |
sft config ssh.port_forward_method netcat sft config ssh.port_forward_method native |
|
ssh.insecure_forward_agent |
Set this to host to set the ForwardAgent when executing SSH commands. Note that Advanced Server Access-issued credentials are not added to the ssh-agent, so this option is for use with hosts that are configured to accept an externally-managed credential, such as an SSH public that's not managed by Advanced Server Access. Not setting this option, or setting it to the value none, causes Advanced Server Access to not forward the SSH agent. |
sft config ssh.insecure_forward_agent host sft config ssh.insecure_forward_agent none |
SSH agent configuration options
|
Key |
Description |
Examples |
|---|---|---|
| ssh_agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations..enable | If set to true, Advanced Server Access client uses an SSH agent when authenticating. |
sft config ssh_agent.enable true sft config ssh_agent.enable false |
| ssh_agent.keys |
Set this to a JSON array of one or more paths to SSH private keys to load into the SSH agent. You can append values to this list by using the --append flag.
Tip: When writing a JSON literal in Windows PowerShell, escape inner quotes; for example: sft config ssh_agent.keys '[\"C:\\Users\\alice\\.ssh\\id_rsa\"]' |
sft config ssh_agent.keys '["/Users/alice/.ssh/id_rsa"]' sft config ssh_agent.keys --append /Users/alice.ssh/id_rsa sft config ssh_agent.keys '[]' |
Network configuration options
|
Key |
Description |
Examples |
|---|---|---|
| network.forward_proxy | If you configure this option, the Advanced Server Access client uses the specified HTTP or HTTPS URL as an HTTP tunnel. See HTTP CONNECT method. |
sft config network.forward_proxy https://your-proxy.example.com:3141 |
|
network.tls_use_bundled_cas |
If set to true, Advanced Server Access client uses a bundled CA certificate list for TLS validation. If set to false, the client uses the operating system's CA list. Note: This option is set to true by default and it's highly advised that you don't change it to false, as certain operating systems can have CA list issues, and the performance can be measurably worse than using bundled CA certificate lists. |
sft config network.tls_use_bundled_cas true sft config tls_use_bundled_cas false |
Service Auth configuration options
|
Key |
Description |
Examples |
|---|---|---|
| service_auth.enable | If set to true, the Advanced Server Access client will support authentication for service users. See Service users. |
sft config service_auth.enable true sft config service_auth.enable false |
Update configuration options
|
Option |
Description |
Examples |
|---|---|---|
| update.release_channel | The Advanced Server Access client defaults to the stable update channel, but you can opt into receiving more frequent releases by setting this option to use the test update channel. |
sft config update.release_channel test sft config update.release_channel stable |
Environment variables
SFT_DEBUG
When set, any command run will print internal logs and timing messages to stderr
Example
SFT_DEBUG=1 sft list-servers