Thousands of tutorials recommend ForwardAgent yes . Most of them don't tell you what it actually does to your security posture. Here's the full picture. You need to SSH from your laptop to a bastion, then from the bastion to an internal server. You've seen the solution in a dozen tutorials: Host bastion ForwardAgent yes Enter fullscreen mode Exit fullscreen mode It works. It's convenient. And it creates a security hole that could let anyone with root on the bastion impersonate you to every server your key unlocks — for as long as your session is open. This isn't a theoretical risk. It's a well-documented attack vector with a name: SSH agent hijacking . And the fix — ProxyJump — has been available since 2017 and solves the same problem without the exposure. This article explains exactly what agent forwarding does under the hood, why it's dangerous, when (if ever) it's acceptable, and how ProxyJump eliminates the need for it in the most common use case.…