Skip to content

v3.7.0 — Per-server SSH agent forwarding (ForwardAgent)

Latest

Choose a tag to compare

@bvisible bvisible released this 13 Jul 11:20

🔗 Added — SSH agent forwarding, per server

New opt-in ForwardAgent support (#53 — requested by @raphaelbahat in #52)

Enable the equivalent of OpenSSH's ForwardAgent yes on a per-server basis, so processes on the remote host can authenticate to other SSH hosts using the keys in your local ssh-agent — e.g. git clone over SSH on a remote server using your local GitHub key — without copying any private key to the server.

SSH_SERVER_MYSERVER_FORWARD_AGENT=true
[ssh_servers.myserver]
forward_agent = true
  • Safe by construction — requires a running local agent (SSH_AUTH_SOCK); the flag is ignored when no agent is present, so it never breaks a connection. It is set only alongside a valid agent (ssh2 throws otherwise). ssh2's connection-level agentForward forwards on every exec/shell channel, so no per-command change is needed.
  • Boolean coercion — only true/1/yes/on enable it; FORWARD_AGENT=false stays off.
  • ⚠️ Defaults to false. Agent forwarding lets anyone with root on the remote host use your loaded keys for the life of the connection — enable it only for servers you trust. See the new SSH Agent Forwarding section in the README.

Tests

  • tests/test-agent-forward.js — verifies the connect() wiring across on / off / absent / no-agent states.
  • tests/test-config-field-names.js — extended with forwardAgent coverage (env + TOML), boolean coercion, and a TOML export round-trip.

Fully opt-in, no behaviour change for existing configs.

Full changelog: https://github.com/bvisible/mcp-ssh-manager/blob/main/CHANGELOG.md#370---2026-07-13