SSHing to a Server
After the initial configuration is
complete, users in your team can SSH to all servers they’ve been granted access to.
Once the user’s client is configured, this can be as simple as typing
There are two ways to use ScaleFT with SSH; using OpenSSH’s
ProxyCommand, or using the
command line tool.
Configuring ScaleFT as a ProxyCommand for ssh
This is the recommended method of ScaleFT SSH integration.
sft proxycommand --config. This command will output a configuration block
for use in your personal SSH configuration file, usually at
Simply append the configuration there.
After the configuration is in your
sft login to open a ScaleFT
session, which enables
ssh to get credentials from ScaleFT, and you can
ssh to your hosts.
Using sft client
Users who prefer not to use
ssh proxycommand integration can use the
tool to access servers.
From an enrolled client, run
sft ssh <hostname> where
the name of any enrolled server. You can see a list of available servers by
browsing to your project in the ScaleFT Dashboard, or with the command
Note: the first time you run
sft ssh you will be prompted to approve your
client’s access to infrastructure credentials. This approval may last for up to
Using sft with Bastion hosts
In many environments, you cannot reach hosts directly, but instead must traverse through a bastion or “gateway” host. With ScaleFT this is easy, and secure.
ScaleFT uses established best-practice for traversing bastion-hosts securely, and does this for you transparently. Your connection to the target host will be encrypted from your client all the way to the remote target, without any intermediate host being able to snoop on you. This is the same method of bastion traversal achieved by using chained “ProxyCommand” configurations with openssh’s client “ProxyCommand” option.
You can specify bastions with the
--via command line option to
sft ssh, and
This can be made even easier, if you have servers that you always traverse a bastion to reach, you can add that bastion to the server’s configuration
When a Bastion is specified in a server’s configuration, e.g.
sft clients need not do anything else to connect securely to that server. Given the same web0.example.com as above that requires you connect through a bastion, a client connection looks like the following:
And this works when using
sft proxycommand too