Configure and use the Advanced Server Access agent

There are many aspects of the Advanced Server Access agent that you can configure. You specify a configure for the agent in its configuration file.

Command line options

    --conf: Provide an alternative configuration file path.

    --debug-device-info: Prints detected device information to stderr and then exits.

    -h, --help: Displays help.

    -v, --version: Displays version.

    --syslog: Force syslog logging.

Configuration file

On startup, the Advanced Server Access agent configures itself using the settings from sftd.yaml. This file is in the YAML format. See YAML.

If this file is not available, sftd uses the default configuration below.

Default configuration:

--- # Common Configuration Options: # # AccessAddress is unset by default AutoEnroll: true # Bastion is unset by default # CanonicalName is unset by default # InitialURL is unset by default


Common Configuration Options

Option Default value Description
AccessAddress unset For hosts with multiple interfaces or behind DNATs, this specifies the address that clients use to connect to this host.
AccessInterface unset

For hosts with specific public IP address associated with a known interface, this option specifies the interface that clients negotiate connections with while connecting to the host.

Example:

AccessInterface: 4022

AltNames unset

A list of alternatives hostnames for this server. These names can be used as target nanes for sft ssh.

Example:

AltNames: ["web01", "web01.example.com"]

AutoEnroll true This option is either true or false. When set to true, sftd attempts to automatically enroll with Advanced Server Access on initial startup.
Bastion unset Specifies the bastion host clients will automatically use when connecting to this host.
CanonicalName unset Specifies the name that clients should use/see when connecting to this host. This overrides the name that's returned by the hostname command.
InitialURL unset

When AutoEnroll is set to true, this option specifies the InitialURL that the server can use to auto-enroll. When an enrollment token is provided by EnrollmentTokenFile, this option is ignored.

Note: This option is only used by legacy installations not hosted by Advanced Server Access instances.

SSHDPort

unset

Traditionally, clients initiate SSH connections on port 22 of a host. This option lets admins specify a different port for clients to use when negotiating SSH connections.

Example:

SSHDPort: 4022

 

Additional Configuration Options

Option

Default value

Description

LogLevel INFO

This option controls the logging verbosity level. Valid values are:

  • WARN
  • INFO
  • DEBUG

You can also manually set the verbosity level to DEBUG by running sftd --debug, which overrides any value set in the config file.

BufferFile /var/lib/sftd/buffer.db This sets the path prefix to the file(s) that sftd uses for its local buffer store. Individual buffer file names consist of the path prefix, followed by a period and an incremental number (for example, buffer.db.1). Buffer files that have been synchronized will be automatically removed.
DisableBroker unset

Advanced Server Access automatically runs an access broker process that listens on port 4421. On Windows, the access broker is responsible for proxying RDP connections and is required for users to be able to successfully RDP to their team's Windows server. For Linux hosts, access broker processes are only required when they're configured in Advanced Server Access to create users on demand.

Set DisableBroker to true to have the agent not run an access broker process.

Note: Disabling the access broker process is not recommended on Windows. See Windows Internals.

EnrollmentTokenFile /var/lib/sftd/enrollment.token This sets the path to a file that contains a secret token for token-based enrollment. This file is deleted after a successful enrollment to the platform.
ForwardProxy none This is a URL to an HTTP CONNECT proxy that sftd will use for outbound network connectivity to the Advanced Server Access platform. Alternatively, the HTTPS_PROXY environment variable can be used to configure this proxy.
ServerFile /var/lib/sftd/device.server This is the path to the file that sftd uses to store the URL of the server that it will connect to.
SSHDConfigFile /etc/ssh/sshd_config

This is the path to the sshd configuration file.

Note: sftd will modify this file.

TokenFile /var/lib/sftd/device.token This is the path to the file that sftd uses to store its secret token for authentication to Advanced Server Access.

TrustedUserCAKeysFile

/var/lib/sftd/ssh_ca.pub

This is the path that sftd writes its list of trusted SSH certificate authorities to.

Files and Paths

This section provides the locations of important files and paths in Linux and Windows that are used by Advanced Server Access.

Linux

sftd on Linux runs under the root user. Paths follow the Linux Standard Base specifications when applicable.

State Directory

/var/lib/sftd

Config File

/etc/sft/sftd.yaml

Log Directory:

sftd uses the system logger when available.

Log files will be rotated after 5MB, and the latest 10 log files will be kept.

Enrollment Token:

/var/lib/sftd/enrollment.token

Disable Autostart

/etc/sftd/disable-autostart

By default, the scaleft-server-tools packages on Red Hat- and Debian-derived distributions will automatically start sftd after installation. In most circumstances, this causes the agent to automatically enroll in Advanced Server Access, create local users, and remove the enrollment token from disk.

If a disable-autostart file exists at the time of installation, the packages will not automatically start the agent. This can be useful when building OS images using a tool like Packer. Under these circumstances, it is typically preferable to remove the disable-autostart file once the package has been installed.

Windows

On Windows, the Advanced Server Access agent runs under the LocalSystem account.

%LOCALAPPDIR% is the default prefix for all filesystem paths.

State Directory:

C:\Windows\System32\config\systemprofile\AppData\Local\scaleft

Config File:

C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\sftd.yaml

Log Directory:

C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\Logs

Log files will be rotated after 5MB, and the latest 10 log files will be kept.

Enrollment Token:

C:\windows\system32\config\systemprofile\AppData\Local\scaleft\enrollment.token

Environment variables

sftd reads the following variables when starting:

  • SFT_DEBUG: Prints additional debugging to stderr when set.

Warning: Moving a server between projects will cause the new project to take over user and group synchronization, which may result in changes to local user names, UIDs or other attributes on the server. This will not remove the existing local users or groups from the original project, but any orphaned users will no longer be accessible using Advanced Server Access, with the exception of established SSH connections (which are not terminated).

Next steps

Top