<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Privileged Access/ASA: SSH with X11 Forwarding via SFT Fails with Error "Flag provided but not defined"
Apr 23, 2026
Okta Classic Engine
Privileged Access
Okta Identity Engine
Overview

When attempting to use X11 Forwarding for SSH with the sft client by using a command such as sft ssh -Y <server name>, the command fails with the error:

 

Incorrect usage: flag provided but not defined: -Y

 

Incorrect usage: flag provided but not defined: -X

 

Applies To
  • Okta Privileged Access (OPA)
  • Advanced Server Access (ASA)
  • X11 Forwarding
Cause

The sft ssh command is a proprietary wrapper that handles Okta authentication and routing. The wrapper only recognizes a specific set of defined flags. Because the wrapper does not natively recognize standard OpenSSH flags like -X (X11 Forwarding) or -Y (Trusted X11 Forwarding), the "sft client" rejects the command before establishing a connection.

Solution

To use X11 Forwarding, bypass the sft SSH wrapper and utilize the native system SSH client by generating the configuration, updating the local SSH configuration file, and connecting via native SSH.

  1. Generate the configuration block by running the following command on the local machine: sft ssh-config
  2. Copy the output of the command and paste it into the local SSH configuration file based on the operating system:
    • Windows: C:\Users\<YourUser>\.ssh\config
    • macOS/Linux: ~/.ssh/config
  1. Connect using the native system SSH command instead of sft ssh: ssh -Y <Server-Name>

The native SSH client handles the -Y flag correctly, while the ProxyCommand manages the OPA/ASA authentication automatically. For more details on configuring ProxyCommand, see the following SSH setup documentation.

 

NOTE: For graphical data to render successfully, the environment must meet specific client-side and server-side requirements outside of the OPA and ASA configuration.

    • Client-Side (Local Machine):
      • X Server: An X Server (for example, Xming, VcXsrv, or XQuartz) must run locally.
      • DISPLAY Variable: The local environment must contain a DISPLAY variable (typically localhost:0.0) to direct the SSH client where to send the graphical data.
    • Server-Side (Target Linux Server):
      • sshd_config: The SSH daemon must allow forwarding by setting "X11Forwarding yes".
      • X11 Tooling: The server must contain the xauth package to authorize the X11 connection.

Recommended content

Still looking for help?
Loading
Okta Privileged Access/ASA: SSH with X11 Forwarding via SFT Fails with Error "Flag provided but not defined"