SSH setup

SSH is a secure shell that allows direct access to the command prompt. With the proper configuration, you can use SSH to connect to servers enrolled in Advanced Server Access by entering the command ssh <hostname>

Using ProxyCommand with Advanced Server Access

OpenSSH ProxyCommand is the recommended method of using SSH with Advanced Server Access. It requires configuring the local SSH client, which then lets you use normal SSH workflows with Advanced Server Access.

To configure the SSH client, run sft ssh-config

This command outputs an SSH configuration block. Append this block to your SSH configuration file (usually ~/.ssh/config). You can append the configuration to your file in one step by using the command sft ssh-config >> ~/.ssh/config

Now running sft login opens an Advanced Server Access session. This authorizes your SSH client to request credentials and query metadata from the Advanced Server Access server inventory.

Using sft ssh

In environments where OpenSSH ProxyCommand is not available, sft ssh can be used instead. This command can be helpful when testing new configurations in Advanced Server Access, since you can easily pass Advanced Server Access-specific arguments to it, such as --via

You connect to a server by running sft ssh <hostname> For example, to connect to, you'd use the command sft ssh

You can see a list of available servers by running the command sft list-servers

Using Advanced Server Access with SSH bastions

There are many environments where you can't reach hosts directly, but instead must traverse through a bastion or "gateway" host. Advanced Server Access makes it easy and secure to use bastions.

Advanced Server Access transparently enables SSH best practices for traversing bastion hops securely. Every connection between your SSH client and the target host, including bastion connections, is end-to-end encrypted, mutually authenticated, and authorized with ephemeral client certificates.

You can add a bastion hop by passing the --via command line option to sft ssh. For example, to add as a bastion hop to, you'd enter the command: sft ssh --via

Bastions can be configured to be used consistently by configuring the agent on the target host. When a bastion is specified in an agent's sftd.yaml configuration file, (for example, Bastion:, the bastion will always be used when users connect to that server.

See Configure and use the Advanced Server Access agent.

For example, if you specify a bastion in the configuration file of the Advanced Server Access agent on, then the bastion will always be used when you use the command ssh