Using SSH with Advanced Server Access can be as simple as
Advanced Server Access with ProxyCommand
OpenSSH ProxyCommand is the recommended method of using SSH with Advanced Server Access. It involves only a little local SSH clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. configuration, and provides great convenience for normal SSH workflows.
This command will print an SSH configuration block for use in your local SSH configuration file (usually
~/.ssh/config). Just append the configuration to that file.
~/.ssh/config is configured, the command
sft login will open a Advanced Server Access session. This authorizes your SSH client to request credentials, and query metadata from our server inventory.
In some environments, OpenSSH ProxyCommand is not available. Users in those circumstances can use the
sft ssh command instead. The
sft ssh command is also helpful when testing new configurations (such as bastions) in Advanced Server Access, since you can easily pass Advanced Server Access specific arguments to it such as
To try it out, just run
sft ssh <hostname>.
You can see a list of available servers with the command
Using Advanced Server Access with SSH Bastions
In many environments, you cannot reach hosts directly, but instead must traverse through a bastion or "gateway" host. With Advanced Server Access this is easy, and secure.
Advanced Server Access transparently enables SSH best-practices for traversing bastion hops securely. Your SSH client's connection to the target host, as well as each intervening connection to an each bastion, is end-to-end encrypted, end-to-end mutually authenticated, and authorized with ephemeral client certificates.
You can add ad hoc bastion hops by adding the
--via command line option to
Bastions can be configured to be used consistently with a simple agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. configuration on the target host. When a bastion is specified in an agent's YAML configuration file, (i.e.
Bastion: bastion.example.com), the bastion will always be used when users are connecting to that server.
With the same
web0.example.com wtih a bastion configured as above, an SSH connection over the bastion is as simple as this: