ScaleFT Notes.md 3.5 KB
ScaleFT Notes.md
OKTA owns scaleft and we use it for managed SSH.
Adding users to groups
To add a user to a scaleFT group, just add them to the matching group in OKTA, ScaleFT will automagically query OKTA to pull the new user in via a service account.
:warning: This may take some time to propogate.
If the groups never update, try updating the sftd agent yum update scaleft-server-tools
Don't forget to add the user to the sft owner group manually if approppriate. This is for super admins.
Client Setup (Mac)
Download and install Sft. Do NOT run these commands as root user.
https://www.scaleft.com/docs/setup/enrolling-a-client/
Enrole a new client sft enroll --team mdr
#this will configure your location ssh config file. Add !User as shown below. sft ssh-config $HOME/.ssh/config
sft list-servers
use a bastion host with scaleft sft ssh -bastion dev-bastion dev-salt-master
resolve server (get ID) sft resolve proxy
ssh into id of the server
ssh d430bf67-c655-4280-b8ab-9b8bd90ec0
~/.ssh/config FOR MACS #SFT configuration. Add the !User centos to ssh using the msoc_build key Match exec "/usr/local/bin/sft resolve -q %h" !User centos
ProxyCommand "/usr/local/bin/sft" proxycommand %h
UserKnownHostsFile "/Users/bradpoulton/Library/Application Support/ScaleFT/proxycommand_known_hosts"
Troubleshooting SFT Client
Review the cache file: /var/lib/sftd/osync Make sure the agent is up-to-date.
How Do I SCP?
SCP push a file works with scaleFT scp deleteme.txt dev-bastion:~/deleteme scp junk_index_new.tar.gz dev-bastion:~/junk_index_new.tar.gz
SCP pull a file
Duane's script. One major issue with this script is the sudo logging will scoop file contents into the sudoreplay logs.
#!/usr/bin/env bash
#sftp_as2 afs-splunk-sh splunk
REMOTE_HOST=$1
REMOTE_USER=$2
SFTP_SUBSYSTEM="/usr/libexec/openssh/sftp-server"
function usage {
echo "sftp_as afs-splunk-sh splunk"
}
if [[ $# -ne 2 ]]; then
usage
exit 1
fi
sftp -s "sudo -i -u $REMOTE_USER $SFTP_SUBSYSTEM" $REMOTE_HOST
usage
./sftp_as2 dev-saf-splunk-indexer-1 brad_poulton
Agent/Server Setup
Salt pushes out token and agent then starts the agent. The agent connects to ScaleFT and updates the webpage.
Reenroll the agent if they are not showing up in the scaleft.com website. systemctl restart sftd
Install dir /etc/sft
enrollment token (gets deleted after server is enrolled successfully) /etc/sft/enrollment.token
remove the server's auth token to force them to reauth with scaleft.com (use this if you have deleted the server in the webpage) rm -rf /var/lib/sftd/device.token
Configuration file cat /etc/sft/sftd.yaml
Salt grain/pillar is used to determine if dev or prod
salt '' state.sls os_modifications.scaleft
Troubleshooting tail -200 /var/log/messages | grep sftd level=error msg="task init failed" err="Server is deleted" task=refreshServerToken remove device.token, place the enrollment.token and restart
Temporarily change the name (salt state currently is not working on the name for dev-salt-master) Change the name and cannical name in sftd.yaml vim /etc/sft/sftd.yaml
restart the service systemctl restart sftd
ERROR: error: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain ssh_exchange_identification: Connection closed by remote host
SOLUTION: reenroll with ScaleFT, apply all updates, restart server.
ScaleFT Projects
servers belong to projects people / groups can be granted access to projects, which gives access to the related servers