ScaleFT Agent

The ScaleFT Agent (sftd) is a daemon that runs on your servers and integrates with the ScaleFT Platform.

The ScaleFT Agent configures client certificate authentication for SSH and RDP, audits login events to the server, and manages local user accounts.


For detailed instructions specific to your operating system, see:

Command Line Options

  • --conf: Provide alternative configuration file path.
  • --debug-device-info: Prints detected device information to stderr and then exits.
  • -h, --help: Display help.
  • -v, --version: Display version.
  • --syslog: Force syslog logging.

Configuration File

On startup, the ScaleFT Agent reads its configuration file sftd.yaml in order to set configuration settings. This file is in the YAML format.

If this file is not available, sftd proceeds with the default values.

Default Configuration:

# Common Configuration Options:
# AccessAddress is unset by default
AutoEnroll:            true
# Bastion is unset by default
# CanonicalName is unset by default
# InitialURL is unset by default

Common Configuration Options


default: unset

For hosts with multiple interfaces, or behind DNATs; specifies the address clients will use when connecting to this host.


default: unset

A list of alternative hostnames for this server. These names can be used as targetnames in sft ssh.


AltNames: ["web01", ""]


default: true

true or false. When true, sftd will attempt to automatically enroll with ScaleFT on initial startup.


default: unset

Specifies the bastion-host clients will automatically use when connecting to this host. (see: SSHing to a server for more details)


default: unset

Specifies the name clients should use/see when connecting to this host. Overrides the name found with hostname


default: unset

When AutoEnroll is set to true, this option specifies the InitialURL that the server can use to auto-enroll. When an enrollment.token is provided, this option is ignored.

Additional Configuration Options


default: INFO

Controls the logging verbosity. Valid values are WARN, INFO or DEBUG. Runing sftd with the --debug flag is equivalent to configuring a level of DEBUG, and will override values from the config file.


default: /var/lib/sftd/buffer.db

Path-prefix to the file(s) that sftd will use for it’s local buffer store. Individual buffers will have a ‘.’ and an incrementing number will be appended to the path-prefix. BufferFiles which have been synchronized will be removed automatically.


default: /var/lib/sftd/enrollment.token

Path to the file containing a secret token for token based enrollment. This file is deleted after a successful enrollment to the platform.


default: none

URL to an HTTP CONNECT proxy that sftd will use for outbound network connectivity to the ScaleFT Platform. Alternatively, the HTTPS_PROXY enviroment variable can be used for this configuration.


default: /var/lib/sftd/device.server

Path to the file that sftd uses to store the server URL that it will connect to.


default: /etc/ssh/sshd_config

Path to sshd configuration file. *Note sftd will modify this file*


default: /var/lib/sftd/device.token

Path to file that sftd uses to store its secret token for authentication to ScaleFT.


default: /var/lib/sftd/

Path for sftd to write the list of trusted SSH Certificate authorities to.

Files and Paths


sftd on Linux runs under the root user. Paths follow the Linux Standard Base specifications when applicable.

State Directory


Config File


Log Directory:

sftd uses the system logger when available.

Log files will be rotated after 5MB, and the latest 10 log files will be kept.

Enrollment Token:


Disable Autostart


By default the scaleft-server-tools packages on RedHat- and Debian-derived distributions will automatically start sftd after installation. In most circumstances this will cause the agent to automatically enroll in ScaleFT, create local users and remove the enrollment token from disk.

If a disable-autostart file exists at the time of installation the packages will not start the agent automatically. This can be useful when building OS images using a tool like Packer. Under these circumstances it is typically preferable to remove the disable-autostart file once the package has been installed.


On Windows, the ScaleFT Agent runs under the LocalSystem account.

%LOCALAPPDIR% is the default prefix for all filesystem paths.

State Directory:


Config File:


Log Directory:


Log files will be rotated after 5MB, and the latest 10 log files will be kept.

Enrollment Token:


Environment Variables

sftd reads the following variables when starting:

  • SFT_DEBUG: Prints additional debugging to stderr when set.