SSH ForwardAgent option

The ForwardAgent option specifies if SSH agent forwarding is allowed or not.

ForwardAgent values

Value	Meaning
Yes	Agent forwarding is allowed
No (default)	Agent forwarding is not allowed
PATH	Path to the agent socket
$VARIABLE	Environment variable that stores the path

Security caution

Agent forwarding should not be used if not strictly needed. Any user that can access the agent’s socket stored in SSH_AUTH_SOCK may have access through the forwarded connection. While key material may not be accessible, the keys can still be used to authenticate to any of the identities that are active in the SSH agent.

If you really need agent forwarding, use it one a single session basis with the -A option.

ssh -A user@host

When using a bastion host (jump host, jump server, jump box), consider using ProxyJump as this is a safer alternative.

Feedback

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!