<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
SSH Using Proxycommand Fails from RHEL9 Client with Error "Bad Server Host Key: Invalid Key Length"
Feb 2, 2026
Advanced Server Access
Okta Classic Engine
Okta Identity Engine
Overview

When using an RHEL9 client to SSH to another target server in Advanced Server Access (ASA) or Okta Privileged Access (OPA), SSH using proxycommand fails with the following error:

[root@rhel9-server1 .ssh]# ssh <target server>
Bad server host key: Invalid key length

Using the standard "sft ssh" command instead of proxycommand bypasses this error and still allows successful SSH:

[root@rhel9-server1 .ssh]# sft ssh <target server>
Last login: Fri Jan 31 10:06:52 2025 from <clientIP>
[user@targetserver ~]$
Applies To
  • Advanced Server Access (ASA)
  • Okta Privileged Access (OPA)
Cause

By default, RHEL9 enforces a "RequiredRSASize 2048" directive in its ssh/sshd_configuration. However, ASA/OPA client versions previous to 1.99.7 do not support an RSA key size greater than 1024 in proxycommand.

Solution

Upgrade ASA/OPA client to version 1.99.7 or later. Refer release notes for additional details around a specific version.

Recommended content

Still looking for help?
Loading
SSH Using Proxycommand Fails from RHEL9 Client with Error "Bad Server Host Key: Invalid Key Length"