While this guide won't comprehensively cover each command available, it will give you a general idea of the flexibility and power available at your fingertips.
For a deep dive on each command, see the CLI Reference.
One thing you'll want to make sure of before you begin, however, is to ensure that the sdm binary is usable from the commandline. If you're on a Mac, the easiest way to do this is as follows:
After installing the sdm application, open a terminal prompt. From the command line, type the following:
sudo ln -s /Applications/SDM.app/Contents/Resources/sdm.darwin /usr/local/bin/sdm
This will symbolically link the sdm command line application into your PATH. To verify that its working properly, type the following:
$ sdm --version
This should output something similar to:
sdm-cli version 30.13.0 (d9b5d467efab6dcd2c35975c655167116fc7014e #13)
If instead, you see something like this:
-bash: sdm: command not found
It most likely means that the path
/usr/local/bin/ is not included in your system search path. You'll have to edit whichever Bash Profile file your system is using. On a Mac, that is likely
~/.bash_profile. Open this file for editing, and then append this line to it:
Then, run this command before trying to check your sdm version once more:
$ source ~/.bash_profile
Linux users: After executing
sdm install, you'll notice that strongDM has installed at
/opt/strongdm and created a symlink to the
sdm binary in
Note that when using the
sdm admin commands, the
--certificate-authority value that is required in many places is a file path, not a Base64 encoded certificate.
Login and logout
$ sdm logine-mail: firstname.lastname@example.orgPlease complete logging in at: https://app.strongdm.com/auth/XXXXXXXXXXauthentication successful$ sdm logout
If your organization uses SSO, it will redirect you to complete authentication via the web. The CLI will attempt to open the provided URL in your browser, or you can visit the URL directly.
Lock and unlock the client
If you have MFA enabled in your organization, you can manually lock and unlock the client from the command line.
$ sdm locklocked$ sdm unlockawaiting confirmation...unlocked
awaiting confirmation... state you will receive an MFA push to complete the unlock process.
Check status of datasources and servers
$ sdm statusDATASOURCE NAME STATUS PORT TYPE! mysql 5.6.39 not connected 13311 mysql!jsonb-test not connected 15438 aurora-postgresCache01 not connected 16379 redisCacheM01 not connected 21211 memcachedInventory DB (Heroku) not connected 15434 postgresMarketing DB RW not connected 15435 postgresMySQL 5.6 not connected 13310 mysqlPricing DB RO not connected 13306 mysqlUsers Profile DB RO not connected 15436 postgresSERVER STATUS PORT TYPERDP prod server not connected 13389 rdpprod01 sudo not connected 62609 sshprod02 not connected 62524 ssh
$ sdm connect Marketingconnect successful$ sdm statusDATASOURCE NAME STATUS PORT TYPE! mysql 5.6.39 not connected 13311 mysql!jsonb-test not connected 15438 aurora-postgresCache01 not connected 16379 redisCacheM01 not connected 21211 memcachedInventory DB (Heroku) not connected 15434 postgresMarketing DB RW connected 15435 postgresMySQL 5.6 not connected 13310 mysqlPricing DB RO not connected 13306 mysqlUsers Profile DB RO not connected 15436 postgresSERVER STATUS PORT TYPERDP prod server not connected 13389 rdpprod01 sudo not connected 62609 sshprod02 not connected 62524 ssh$ psql -h localhost -p 15435 -c 'select 42;'?column?----------42(1 row)$ sdm disconnect Marketingdisconnect successful
Connect to SSH
As described in the SSH connection guide there are several ways to connect to SSH servers. The easiest is to use the
sdm ssh aliases. Using this method it is not necessary to run
sdm connect before opening the SSH connection.
$ alias|grep sdmscp='scp -S'\''/usr/local/bin/sdm'\'' -osdmSCP'ssh='/usr/local/bin/sdm ssh wrapped-run'$ ssh prod02Last login: Wed Mar 13 14:23:01 2019 from ip-xx-xx-xx-xx.us-west-2.compute.internal__| __|_ )_| ( / Amazon Linux 2 AMI___|\___|___|https://aws.amazon.com/amazon-linux-2/[ops@ip-xx-xx-xx-xx ~]$ exitlogoutConnection to 127.0.0.1 closed.
This command is not available to Windows CLI users. To connect to SSH servers using Windows and the CLI, run
sdm connect servername then connect with your preferred ssh client to
By default, logs are written to ~/.sdm/sdm.log for both clients and relays.
You will also notice several authentication-related files in this directory. The
*.key files serve as the private keys which authenticate you and your machine.
For detailed information about the CLI and its usage, see the CLI Reference.