Close
logodocs
Try It Free

CLI tour

While this guide won't comprehensively cover each command available, it will give you a general idea of the flexibility and power available at your fingertips.

For a deep dive on each command, see the CLI Reference.

One thing you'll want to make sure of before you begin, however, is to ensure that the sdm binary is usable from the commandline. If you're on a Mac, the easiest way to do this is as follows:

After installing the sdm application, open a terminal prompt. From the command line, type the following:

sudo ln -s /Applications/SDM.app/Contents/Resources/sdm.darwin /usr/local/bin/sdm

This will symbolically link the sdm command line application into your PATH. To verify that its working properly, type the following:

$ sdm --version

This should output something similar to:

sdm-cli version 30.13.0 (d9b5d467efab6dcd2c35975c655167116fc7014e #13)

If instead, you see something like this:

-bash: sdm: command not found

It most likely means that the path /usr/local/bin/ is not included in your system search path. You'll have to edit whichever shell profile file your system is using. On a Mac, that is sometimes ~/.bash_profile. Open this file for editing, and then append this line to it: export PATH=/usr/local/bin/:$PATH.

Then, run this command before trying to check your sdm version once more:

$ source ~/.bash_profile

Linux users: After executing sdm install, you'll notice that strongDM has installed at /opt/strongdm and created a symlink to the sdm binary in /usr/local/bin.

Note that when using the sdm admin commands, the --certificate-authority value that is required in many places is a file path, not a Base64 encoded certificate.

That should have you up and going and able to use the command line effectively. Below are a few examples of the kinds of things you can do with with the command line.

Login and logout

$ sdm login
e-mail: letmein@strongdm.com
Please complete logging in at: https://app.strongdm.com/auth/XXXXXXXXXX
authentication successful
$ sdm logout

If your organization uses SSO, it will redirect you to complete authentication via the web. The CLI will attempt to open the provided URL in your browser, or you can visit the URL directly.

Lock and unlock the client

If you have MFA enabled in your organization, you can manually lock and unlock the client from the command line.

$ sdm lock
locked
$ sdm unlock
awaiting confirmation...
unlocked

When in awaiting confirmation... state you will receive an MFA push to complete the unlock process.

Check status of datasources and servers

$ sdm status
     DATASOURCE NAME           STATUS            PORT      TYPE
     ! mysql 5.6.39            not connected     13311     mysql
     !jsonb-test               not connected     15438     aurora-postgres
     Cache01                   not connected     16379     redis
     CacheM01                  not connected     21211     memcached
     Inventory DB (Heroku)     not connected     15434     postgres
     Marketing DB RW           not connected     15435     postgres
     MySQL 5.6                 not connected     13310     mysql
     Pricing DB RO             not connected     13306     mysql
     Users Profile DB RO       not connected     15436     postgres
     SERVER                    STATUS            PORT      TYPE
     RDP prod server           not connected     13389     rdp
     prod01 sudo               not connected     62609     ssh
     prod02                    not connected     62524     ssh

Connect/disconnect

$ sdm connect Marketing
connect successful
$ sdm status
     DATASOURCE NAME           STATUS            PORT      TYPE
     ! mysql 5.6.39            not connected     13311     mysql
     !jsonb-test               not connected     15438     aurora-postgres
     Cache01                   not connected     16379     redis
     CacheM01                  not connected     21211     memcached
     Inventory DB (Heroku)     not connected     15434     postgres
     Marketing DB RW           connected         15435     postgres
     MySQL 5.6                 not connected     13310     mysql
     Pricing DB RO             not connected     13306     mysql
     Users Profile DB RO       not connected     15436     postgres
     SERVER                    STATUS            PORT      TYPE
     RDP prod server           not connected     13389     rdp
     prod01 sudo               not connected     62609     ssh
     prod02                    not connected     62524     ssh
$ psql -h localhost -p 15435 -c 'select 42;'
?column?
----------
     42
(1 row)
$ sdm disconnect Marketing
disconnect successful

Connect to SSH

As described in the SSH connection guide there are several ways to connect to SSH servers. The easiest is to use the sdm ssh aliases. Using this method it is not necessary to run sdm connect before opening the SSH connection.

$ alias|grep sdm
scp='scp -S'\''/usr/local/bin/sdm'\'' -osdmSCP'
ssh='/usr/local/bin/sdm ssh wrapped-run'
$ ssh prod02
Last login: Wed Mar 13 14:23:01 2019 from ip-xx-xx-xx-xx.us-west-2.compute.internal
     __|  __|_  )
     _|  (     /   Amazon Linux 2 AMI
     ___|\___|___|
https://aws.amazon.com/amazon-linux-2/
[ops@ip-xx-xx-xx-xx ~]$ exit
logout
Connection to 127.0.0.1 closed.

This command is not available to Windows CLI users. To connect to SSH servers using Windows and the CLI, run sdm connect servername then connect with your preferred ssh client to localhost:port.

The sdm directory

By default, logs are written to ~/.sdm/sdm.log for both clients and relays.

You will also notice several authentication-related files in this directory. The *.key files serve as the private keys which authenticate you and your machine.

For detailed information about the CLI and its usage, see the CLI Reference.

User Guide — Previous
User Guide
Next — User Guide
GUI Tour