SSH Setup


Using SSH with ScaleFT can be as simple as ssh <hostname>.

ScaleFT with ProxyCommand

OpenSSH ProxyCommand is the recommended method of using SSH with ScaleFT. It involves only a little local SSH client configuration, and provides great convenience for normal SSH workflows.

First, run sft ssh-config.

This command will print an SSH configuration block for use in your local SSH configuration file (usually ~/.ssh/config). Just append the configuration to that file.

After your ~/.ssh/config is configured, the command sft login will open a ScaleFT session. This authorizes your SSH client to request credentials, and query metadata from our server inventory.

[alice@mylaptop]$ sft ssh-config # Add this to your $HOME/.ssh/config Match exec "/usr/bin/sft resolve -q %h" ProxyCommand "/usr/bin/sft" proxycommand %h UserKnownHostsFile "/Users/alice/Library/Application Support/ScaleFT/proxycommand_known_hosts" [alice@mylaptop]$ sft ssh-config >> ~/.ssh/config [alice@mylaptop]$ sft login Waiting on browser... Browser step completed successfully. Session expires in 9h0m0s [alice@mylaptop]$ ssh web0.example.com Welcome to Ubuntu 15.04 (GNU/Linux 3.19.0-15-generic x86_64) * Documentation: https://help.ubuntu.com/ ---------------------------------------------------------------- Ubuntu 15.04 built 2016-01-06 ---------------------------------------------------------------- Last login: Thu Jan 4 07:14:03 2016 from 198.51.100.23 alice@web0$

Using sft ssh

In some environments, OpenSSH ProxyCommand is not available. Users in those circumstances can use the sft ssh command instead. The sft ssh command is also helpful when testing new configurations (such as bastions) in ScaleFT, since you can easily pass ScaleFT specific arguments to it such as --via.

To try it out, just run sft ssh <hostname>.

[alice@mylaptop]$ sft ssh web0.example.com Welcome to Ubuntu 15.04 (GNU/Linux 3.19.0-15-generic x86_64) * Documentation: https://help.ubuntu.com/ ---------------------------------------------------------------- Ubuntu 15.04 built 2016-01-06 ---------------------------------------------------------------- Last login: Thu Jan 4 07:14:03 2016 from 198.51.100.23 alice@web0$

You can see a list of available servers with the command sft list-servers.

Using ScaleFT with SSH Bastions

In many environments, you cannot reach hosts directly, but instead must traverse through a bastion or “gateway” host. With ScaleFT this is easy, and secure.

ScaleFT transparently enables SSH best-practices for traversing bastion hops securely. Your SSH client’s connection to the target host, as well as each intervening connection to an each bastion, is end-to-end encrypted, end-to-end mutually authenticated, and authorized with ephemeral client certificates.

You can add ad hoc bastion hops by adding the --via command line option to sft ssh.

[alice@mylaptop]$ sft ssh --via bastion.example.com web0.example.com Welcome to Ubuntu 15.04 (GNU/Linux 3.19.0-15-generic x86_64) * Documentation: https://help.ubuntu.com/ ---------------------------------------------------------------- Ubuntu 15.04 built 2016-01-06 ---------------------------------------------------------------- Last login: Thu Jan 4 07:14:03 2016 from 198.51.100.23 alice@web0$

Bastions can be configured to be used consistently with a simple agent configuration on the target host. When a bastion is specified in an agent’s YAML configuration file, (i.e. Bastion: bastion.example.com), the bastion will always be used when users are connecting to that server.

Learn more about agent configurations

With the same web0.example.com wtih a bastion configured as above, an SSH connection over the bastion is as simple as this:

[alice@mylaptop]$ ssh web0.example.com Welcome to Ubuntu 15.04 (GNU/Linux 3.19.0-15-generic x86_64) * Documentation: https://help.ubuntu.com/ ---------------------------------------------------------------- Ubuntu 15.04 built 2016-01-06 ---------------------------------------------------------------- Last login: Thu Jan 4 07:14:03 2016 from 198.51.100.23 alice@web0$