SSH is a secure shell that allows direct access to the command prompt. With the proper configuration, you can use SSH to connect to servers enrolled in Advanced Server Access by entering the command ssh <hostname>
Using ProxyCommand with Advanced Server Access
OpenSSH ProxyCommand is the recommended method of using SSH with Advanced Server Access. It requires configuring the local SSH client, which then lets you use normal SSH workflows with Advanced Server Access.
To configure the SSH clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. , run sft ssh-config
This command outputs an SSH configuration block. Append this block to your SSH configuration file (usually ~/.ssh/config). You can append the configuration to your file in one step by using the command sft ssh-config >> ~/.ssh/config
Now running sft login opens an Advanced Server Access session. This authorizes your SSH client to request credentials and query metadata from the Advanced Server Access server inventory.
Using sft ssh
In environments where OpenSSH ProxyCommand is not available, sft ssh can be used instead. This command can be helpful when testing new configurations in Advanced Server Access, since you can easily pass Advanced Server Access-specific arguments to it, such as --via
You connect to a server by running sft ssh <hostname> For example, to connect to web0.example.com, you'd use the command sft ssh web0.example.com
You can see a list of available servers by running the command sft list-servers
Using Advanced Server Access with SSH bastions
There are many environments where you can't reach hosts directly, but instead must traverse through a bastion or "gateway" host. Advanced Server Access makes it easy and secure to use bastions.
Advanced Server Access transparently enables SSH best practices for traversing bastion hops securely. Every connection between your SSH client and the target host, including bastion connections, is end-to-end encrypted, mutually authenticated, and authorized with ephemeral client certificates.
You can add a bastion hop by passing the --via command line option to sft ssh. For example, to add bastion.example.com as a bastion hop to web0.example.com, you'd enter the command: sft ssh --via bastion.example.com web0.example.com
Bastions can be configured to be used consistently by configuring the agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. on the target host. When a bastion is specified in an agent's sftd.yaml configuration file, (for example, Bastion: bastion.example.com), the bastion will always be used when users connect to that server.
For example, if you specify a bastion in the configuration file of the Advanced Server Access agent on web0.example.com, then the bastion will always be used when you use the command ssh web0.example.com