ScaleFT Agent


Synopsis

sftd [options...] command...

Description

The ScaleFT Agent (sftd) is a daemon that runs on your servers and integrates with the ScaleFT Platform.

sftd installs trusted CA certificates to sshd, tracks logins to the server, and manages local user accounts. If a user group with the server_admin role enabled is added to the project for an sftd-managed server, sftd will modify the sudoers file to include those users.


Installation

Add ScaleFT to your package manager. Then run sudo apt-get install scaleft-server-tools or sudo yum install scaleft-server-tools. For detailed instructions specific to your operating system, see:


Files and Paths

Linux and Unix-like operating systems

sftd on Linux runs under the root user. Paths follow the Linux Standard Base specifications when applicable.

State Directory

/var/lib/sftd

Config File

/etc/sft/sftd.yaml

Log Directory:

sftd uses the system logger when available.

Log files will be rotated after 5MB, and the latest 10 log files will be kept.

Enrollment Token:

/var/lib/sftd/enrollment.token

Disable Autostart

/etc/sftd/disable-autostart

By default the scaleft-server-tools packages on RedHat- and Debian-derived distributions will automatically start sftd after installation. In most circumstances this will cause the agent to automatically enroll in ScaleFT, create local users and remove the enrollment token from disk.

If a disable-autostart file exists at the time of installation the packages will not start the agent automatically. This can be useful when building OS images using a tool like Packer. Under these circumstances it is typically preferable to remove the disable-autostart file once the package has been installed.


Windows Server

sftd on Windows runs under the LocalSystem account. %LOCALAPPDIR% is the default prefix for all filesystem paths.

State Directory:

C:\Windows\System32\config\systemprofile\AppData\Local\ScaleFT

Config File:

C:\Windows\System32\config\systemprofile\AppData\Local\ScaleFT\sftd.yaml

Log Directory:

C:\Windows\System32\config\systemprofile\AppData\Local\ScaleFT\Logs

Log files will be rotated after 5MB, and the latest 10 log files will be kept.

Enrollment Token:

C:\windows\system32\config\systemprofile\AppData\Local\ScaleFT\enrollment.token


Configuration File

sftd reads sftd.yaml in order to set configuration settings. This file is in the YAML format.

If this file is not available, sftd proceeds with the default values.

Default Configuration:

---
# Common Configuration Options:
#
# AccessAddress is unset by default
AutoEnroll:            true
# Bastion is unset by default
# CanonicalName is unset by default
# InitialURL is unset by default

Common Configuration Options

AccessAddress

default: unset

For hosts with multiple interfaces, or behind DNATs; specifies the address clients will use when connecting to this host.

AltNames

default: unset

A list of alternative hostnames for this server. These names can be used as targetnames in sft ssh.

Example:

AltNames: ["web01", "web01.example.com"]

AutoEnroll

default: true

true or false. When true, sftd will attempt to automatically enroll with ScaleFT on initial startup.

Bastion

default: unset

Specifies the bastion-host clients will automatically use when connecting to this host. (see: SSHing to a server for more details)

CanonicalName

default: unset

Specifies the name clients should use/see when connecting to this host. Overrides the name found with hostname

InitialURL

default: unset

When AutoEnroll is set to true, this option specifies the InitialURL that the server can use to auto-enroll. When an enrollment.token is provided, this option is ignored.


Additional Configuration Options

LogLevel

default: INFO

Controls the logging verbosity. Valid values are WARN, INFO or DEBUG. Runing sftd with the --debug flag is equivalent to configuring a level of DEBUG, and will override values from the config file.

BufferFile

default: /var/lib/sftd/buffer.db

Path-prefix to the file(s) that sftd will use for it’s local buffer store. Individual buffers will have a ‘.’ and an incrementing number will be appended to the path-prefix. BufferFiles which have been synchronized will be removed automatically.

EnrollmentTokenFile

default: /var/lib/sftd/enrollment.token

Path to the file containing a secret token for token based enrollment. This file is deleted after a successful enrollment to the platform.

ServerFile

default: /var/lib/sftd/device.server

Path to the file that sftd uses to store the server URL that it will connect to.

SSHDConfigFile

default: /etc/ssh/sshd_config

Path to sshd configuration file. *Note sftd will modify this file*

TokenFile

default: /var/lib/sftd/device.token

Path to file that sftd uses to store its secret token for authentication to ScaleFT.

TrustedUserCAKeysFile

default: /var/lib/sftd/ssh_ca.pub

Path for sftd to write the list of trusted SSH Certificate authorities to.


Command Line Options

  • --conf: Provide alternative configuration file path.
  • --debug-device-info: Prints detected device information to stderr and then exits.
  • -h, --help: Display help.
  • -v, --version: Display version.
  • --syslog: Force syslog logging.

Environment Variables

sftd reads the following variables when starting:

  • SFT_DEBUG: Prints additional debugging to stderr when set.