🔗 Added — SSH agent forwarding, per server
New opt-in ForwardAgent support (#53 — requested by @raphaelbahat in #52)
Enable the equivalent of OpenSSH's ForwardAgent yes on a per-server basis, so processes on the remote host can authenticate to other SSH hosts using the keys in your local ssh-agent — e.g. git clone over SSH on a remote server using your local GitHub key — without copying any private key to the server.
SSH_SERVER_MYSERVER_FORWARD_AGENT=true[ssh_servers.myserver]
forward_agent = true- Safe by construction — requires a running local agent (
SSH_AUTH_SOCK); the flag is ignored when no agent is present, so it never breaks a connection. It is set only alongside a valid agent (ssh2 throws otherwise). ssh2's connection-levelagentForwardforwards on every exec/shell channel, so no per-command change is needed. - Boolean coercion — only
true/1/yes/onenable it;FORWARD_AGENT=falsestays off. ⚠️ Defaults tofalse. Agent forwarding lets anyone with root on the remote host use your loaded keys for the life of the connection — enable it only for servers you trust. See the new SSH Agent Forwarding section in the README.
Tests
tests/test-agent-forward.js— verifies theconnect()wiring across on / off / absent / no-agent states.tests/test-config-field-names.js— extended withforwardAgentcoverage (env + TOML), boolean coercion, and a TOML export round-trip.
Fully opt-in, no behaviour change for existing configs.
Full changelog: https://github.com/bvisible/mcp-ssh-manager/blob/main/CHANGELOG.md#370---2026-07-13