Note: I think this applies to both ssh (client) and ssh-agent. It would be nice to add an option to ssh so only the key used for authentication is forwarded when "ssh -A" is used. Consider the following case: I have two private ssh keys : - one to access my personnal machines, - one to access servers at my job. I add those two keys to my ssh-agent with ssh-add. Now, when I do "ssh -A root@jobsrv" I would like to forward agent authentication only for my job key (the one I'm using to connect jobsrv). I want this because anyone having root access to jobsrv can use my agent to authenticate himself to my personnal machines. Thank you.