SSH setup

SSH is a secure shell that allows direct access to the command prompt. With the proper configuration, you can use SSH to connect to servers enrolled in Advanced Server Access by entering the command ssh <hostname>

Using ProxyCommand with Advanced Server Access

OpenSSH ProxyCommand is the recommended method of using SSH with Advanced Server Access. It requires configuring the local SSH client, which then lets you use normal SSH workflows with Advanced Server Access.

To configure the SSH clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. , run sft ssh-config

This command outputs an SSH configuration block. Append this block to your SSH configuration file (usually ~/.ssh/config). You can append the configuration to your file in one step by using the command sft ssh-config >> ~/.ssh/config

Now running sft login opens an Advanced Server Access session. This authorizes your SSH client to request credentials and query metadata from the Advanced Server Access server inventory.

Using sft ssh

In environments where OpenSSH ProxyCommand is not available, sft ssh can be used instead. This command can be helpful when testing new configurations in Advanced Server Access, since you can easily pass Advanced Server Access-specific arguments to it, such as --via

You connect to a server by running sft ssh <hostname> For example, to connect to, you'd use the command sft ssh

You can see a list of available servers by running the command sft list-servers

Using Advanced Server Access with SSH bastions

There are many environments where you can't reach hosts directly, but instead must traverse through a bastion or "gateway" host. Advanced Server Access makes it easy and secure to use bastions.

Advanced Server Access transparently enables SSH best practices for traversing bastion hops securely. Every connection between your SSH client and the target host, including bastion connections, is end-to-end encrypted, mutually authenticated, and authorized with ephemeral client certificates.

You can add a bastion hop by passing the --via command line option to sft ssh. For example, to add as a bastion hop to, you'd enter the command: sft ssh --via

Bastions can be configured to be used consistently by configuring the agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. on the target host. When a bastion is specified in an agent's sftd.yaml configuration file, (for example, Bastion:, the bastion will always be used when users connect to that server.

See Advanced Server Access agents.

For example, if you specify a bastion in the configuration file of the Advanced Server Access agent on, then the bastion will always be used when you use the command ssh

[alice@mylaptop]$ ssh Welcome to Ubuntu 15.04 (GNU/Linux 3.19.0-15-generic x86_64) * Documentation: ---------------------------------------------------------------- Ubuntu 15.04 built 2016-01-06 ---------------------------------------------------------------- Last login: Thu Jan 4 07:14:03 2016 from alice@web0$