What sort of thing are you using ssh -A for which couldn’t be replaced by ssh -J?
git checkouts from private repositories, for example. HTTPS requires username/password which may or may not be checked/monitored.
> If you need to regularly copy stuff from server to another (or use SSH to GitHub to check out something from a private repo), it might be better to have a specific SSH ‘deploy key’ created for this, stored server-side and only able to perform limited actions.
And this is the approach we're taking going forwards.
If the problem is that you only ever want to read from git when an admin is logged into the machine, i guess the safest bet would be to use a temporary deploy key (or temporarily copy the deploy key onto the machine until you've finished admining).
Forwarding all the keys from your agent is a recipe to end up pwned like we did, however.