<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
SCP Files from the OAG Appliance
Jul 30, 2025
Access Gateway
Okta Classic Engine
Okta Identity Engine
Overview

Starting in May 2024, Okta Access Gateway (OAG) appliances will have the option to get shell access through the management console. However, a new user must be created in case a specific log file needs to be transferred from the appliance.

NOTE:

  • It is recommended to download logs from the Admin UI. Additional users will not be required.
  • Creating additional users on the appliance will open an additional attack surface.
Applies To
  • Okta Access Gateway (OAG)
  • SCP
  • Version 2024.5.0 and above
Cause

By default the appliance does not have any user that can be used for direct ssh/scp to the appliance. 

Solution
  1. Connect to the appliance through launch-shell option.
  2. Create the user.

    • sudo adduser <username>

  3. The following steps will change sshd_config. Please do not modify anything else except what is mentioned in this section.
    • Modify the sshd_config to allow access for the newly created <username> account:

      • sudo vi /etc/ssh/sshd_config

      • Add <username> to the AllowUsers directive (below is what it will look like after the change): 

        • AllowUsers oag-mgmt appgw-mgmt oagha icsadmin <username>

      • Save the file and exit.
      • Ensure there are no errors in sshd_config using the following command before proceeding. Restarting with a config issue may lock all the users out of the appliance. 

        • sudo sshd -t

      • Restart sshd.

        • sudo systemctl restart sshd

  4. Switch to the newly created user.

    • sudo su - <username> 

    • Validate the shell is in user's home dir:
      • The bash prompt will now have:

        • <username>@<server-hostname>;/home/<username>

  5. Generate the ssh keys that can be used for authentication:

    • ssh-keygen -b 2048 -t rsa

    • Use the default path /home/<username>/.ssh/id_rsa.
    • Create a password.
    • Validate the files have been created:

      • ls -la /home/<username>/.ssh/

  6. Create authorized keys file and set permissions:

    • touch /home/<username>/.ssh/authorized_keys
      chmod 600 /home/<username>/.ssh/authorized_keys

  7. The following steps will show how to connect from different platforms:
    1. To connect from Linux/Mac, copy the content of id_rsa.pub from client's $HOME/.ssh/ to user's authorized_keys file at the below location:

       /home/<username>/.ssh/authorized_keys

    2. To Connect from Windows:
      • Launch the winscp application:  
        • Select Advanced > Authentication > Tools (Button) > Generate New Key Pair with PuTTYgen > Generate (Button).
        • Save the private key to a secure location.
        • Copy the public key and paste the public key from winscp into the authorized keys file on the OAG appliance.
      • With winscp, ensure the private key is selected and the user is <username>.

 

Related References

Recommended content

Still looking for help?
Loading
SCP Files from the OAG Appliance