SSH Setup

Using SSH with Advanced Server Access can be as simple as ssh <hostname>.

Advanced Server Access with ProxyCommand

OpenSSH ProxyCommand is the recommended method of using SSH with Advanced Server Access. It involves only a little local SSH clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. configuration, and provides great convenience for normal SSH workflows.

First, run sft ssh-config.

This command will print an SSH configuration block for use in your local SSH configuration file (usually ~/.ssh/config). Just append the configuration to that file.

After your ~/.ssh/config is configured, the command sft login will open a Advanced Server Access session. This authorizes your SSH client to request credentials, and query metadata from our server inventory.

[alice@mylaptop]$ sft ssh-config # Add this to your $HOME/.ssh/config Match exec "/usr/bin/sft resolve -q %h" ProxyCommand "/usr/bin/sft" proxycommand %h UserKnownHostsFile "/UsersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control./alice/Library/Application Support/ScaleFT/proxycommand_known_hosts" [alice@mylaptop]$ sft ssh-config >> ~/.ssh/config [alice@mylaptop]$ sft login Waiting on browser... Browser step completed successfully. Session expires in 9h0m0s [alice@mylaptop]$ ssh web0.example.com Welcome to Ubuntu 15.04 (GNU/Linux 3.19.0-15-generic x86_64) * Documentation: https://help.ubuntu.com/ ---------------------------------------------------------------- Ubuntu 15.04 built 2016-01-06 ---------------------------------------------------------------- Last login: Thu Jan 4 07:14:03 2016 from 198.51.100.23 alice@web0$

Using sft ssh

In some environments, OpenSSH ProxyCommand is not available. Users in those circumstances can use the sft ssh command instead. The sft ssh command is also helpful when testing new configurations (such as bastions) in Advanced Server Access, since you can easily pass Advanced Server Access specific arguments to it such as --via.

To try it out, just run sft ssh <hostname>.

[alice@mylaptop]$ sft ssh web0.example.com Welcome to Ubuntu 15.04 (GNU/Linux 3.19.0-15-generic x86_64) * Documentation: https://help.ubuntu.com/ ---------------------------------------------------------------- Ubuntu 15.04 built 2016-01-06 ---------------------------------------------------------------- Last login: Thu Jan 4 07:14:03 2016 from 198.51.100.23 alice@web0$

You can see a list of available servers with the command sft list-servers.

Using Advanced Server Access with SSH Bastions

In many environments, you cannot reach hosts directly, but instead must traverse through a bastion or "gateway" host. With Advanced Server Access this is easy, and secure.

Advanced Server Access transparently enables SSH best-practices for traversing bastion hops securely. Your SSH client's connection to the target host, as well as each intervening connection to an each bastion, is end-to-end encrypted, end-to-end mutually authenticated, and authorized with ephemeral client certificates.

You can add ad hoc bastion hops by adding the --via command line option to sft ssh.

[alice@mylaptop]$ sft ssh --via bastion.example.com web0.example.com Welcome to Ubuntu 15.04 (GNU/Linux 3.19.0-15-generic x86_64) * Documentation: https://help.ubuntu.com/ ---------------------------------------------------------------- Ubuntu 15.04 built 2016-01-06 ---------------------------------------------------------------- Last login: Thu Jan 4 07:14:03 2016 from 198.51.100.23 alice@web0$

Bastions can be configured to be used consistently with a simple agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. configuration on the target host. When a bastion is specified in an agent's YAML configuration file, (i.e. Bastion: bastion.example.com), the bastion will always be used when users are connecting to that server.

Learn more about agent configurations

With the same web0.example.com wtih a bastion configured as above, an SSH connection over the bastion is as simple as this:

[alice@mylaptop]$ ssh web0.example.com Welcome to Ubuntu 15.04 (GNU/Linux 3.19.0-15-generic x86_64) * Documentation: https://help.ubuntu.com/ ---------------------------------------------------------------- Ubuntu 15.04 built 2016-01-06 ---------------------------------------------------------------- Last login: Thu Jan 4 07:14:03 2016 from 198.51.100.23 alice@web0$
Top