Client configuration

Note:

End of sale announcement

Effective May 1, 2026, Okta will no longer sell or renew Advanced Server Access. Existing customers must migrate to Okta Privileged Access within one year of their next scheduled renewal date to maintain service.

Read the FAQ and learn more about Okta Privileged Access.

Use these advanced client configuration options to automatically share settings to clients that are logging into a server in a project. To use this feature ensure that these advanced client configuration features are enabled for your Advanced Server Access team.

Before you begin

Advanced Server Access client must be installed on each server where this advanced client configuration is performed.

Forward Agent

Use this feature to forward a local SSH agent to the server you initially connected through Advanced Server Access. For this feature to work, the server you connect to must permit TCP forwarding. If a statement in the /etc/ssh/sshd_config file disallows TCP forwarding, such as AllowTcpForwarding no, modify it to AllowTcpForwarding yes, and then restart SSHD.

Note:

This feature is not compatible with the Windows client.

From your Advanced Server Access dashboard, go to Projects.
On the Details tab, go to Client Configuration.
Select Forward Agent.

Netcat Port Forwarding

Enabling this feature allows Advanced Server Access to remotely execute Netcat (nc) as a means of port forwarding instead of using the default SSH port forwarding. Use this feature only if your server's version of SSH doesn't support port forwarding.

From your Advanced Server Access dashboard, go to Projects.
On the Details tab, go to Client Configuration.
Select Netcat Port Forwarding.

Forward Client Trust

The Forward Client Trust feature allows users to establish SSH sessions from their enrolled workstation into an enrolled server. They can also establish SSH sessions from that server into other enrolled servers. These subsequent connections, also called hops, are performed automatically and allow lateral movement between two or more servers. In other words, server administrators can connect from one server to another without creating an entirely new connection from their workstations to subsequent servers. Users can hop between 64 different servers.

Note:

Forward Client Trust passes the client user's Advanced Server Access access token to the user's environment variable on the target server. That environment variable is then used by the Advanced Server Access client when connecting to other servers without requiring the user to perform a full SSO from that server.

Given how the Linux operating systems work, it could be possible for another user logged-in with root-level access or permissive SUDOERS configuration to abuse their access and read another logged-in user's Advanced Server Access access token.

Before enabling this feature, you should understand the implications and accept the risk. Enabling this feature will also automatically update the sshd_config file with the required settings. If other management tools manage the sshd_config file, there could be a conflict. When enabling this feature, you should examine the sshd_config changes it makes and incorporate those into your configuration management setup.

From your Advanced Server Access dashboard, go to Projects.
On the Details tab, go to Client Configuration.
Select Forward Client Trust.
From your workstation, run the following command.
sft login.
Log in to a server that has Forward Client Trust enabled.
sft ssh < SERVER 1>.
Optional. Run sft list-servers. You see a list of servers that you have access.
Note:
Firewall rules may prevent the network connections regardless of the servers appearing in the list.
From < SERVER 1>, log in to another server.
sft ssh < SERVER 2>.
You can continue to hop from server-to-server as long as each additional hop has the Advanced Server Access client software already installed on it.