Enabling SSH agent forwarding in PuTTY enables authentication to additional SSH servers from a jump host without copying private keys onto that jump host. Multi-hop administration becomes simpler while keeping key material on the originating workstation.

PuTTY forwards agent-signing requests over the encrypted SSH connection to Pageant, the SSH agent included with the PuTTY suite on Windows, which holds decrypted keys in memory. The remote host receives only the results of cryptographic operations and never receives private key files.

Agent forwarding expands the trust boundary because processes on the remote host can attempt to use the forwarded agent while the session is open. Forwarding can also be blocked by server-side policy, so an enabled client checkbox does not guarantee a forwarded agent socket on the server.

Related: How to use Pageant as an SSH agent for PuTTY
Related: How to connect through a jump host in PuTTY

Steps to enable SSH agent forwarding in PuTTY:

  1. Start Pageant.

    Pageant must remain running for forwarded authentication to work.

  2. Confirm the Pageant icon is visible in the notification area.
  3. Open the Pageant key list window.
  4. Click Add Key in the Pageant key list.
  5. Select the private key file (commonly .ppk) and click Open.

    An encrypted key prompts for a passphrase before loading.

  6. Verify the key appears in the Pageant key list.
  7. Launch PuTTY.
  8. Enter the target Host Name and Port in the Session category.
  9. Open ConnectionSSHAuth in the category tree.
  10. Enable Allow agent forwarding.

    Agent forwarding exposes the local agent to the remote host; enable only on trusted servers and close the session when finished.

  11. Enable Attempt authentication using Pageant.

    Keeping Attempt authentication using Pageant enabled allows PuTTY to use keys loaded in Pageant automatically.

  12. Return to Session and click Save to store the setting in the session profile.
  13. Click Open to start the SSH session.
  14. Verify the server fingerprint in PuTTY Security Alert and click Accept when it matches the expected key.

    Accepting an unexpected fingerprint can indicate a man-in-the-middle attack or a replaced server key.

    Related: How to update or delete PuTTY host key fingerprints on Windows

  15. Log in to the server and reach a shell prompt.
  16. Confirm a forwarded agent socket exists on the remote host. 
    $ echo $SSH_AUTH_SOCK
/tmp/ssh-9tQJvYwJ7F/agent.2714

    An empty value indicates agent forwarding is disabled or rejected by the server.

  17. Test authentication to a downstream host from the jump host without copying keys to the jump host. 
    $ ssh user@internal-host
Last login: Tue Dec 16 08:41:12 2025 from 10.0.0.10
$

    Use plain ssh user@host for a single hop; add ssh -A only when forwarding the agent to another hop is required.

  18. Remove the key from Pageant when agent forwarding is no longer needed.

    Unloading keys reduces exposure if the workstation is left unattended.