Agent forwarding is a special case of remote tunneling. In agent forwarding, Secure Shell connections and public-key authentication data are forwarded from one server to another without the user having to authenticate separately for each server. Authentication data does not have to be stored on any other machine than the local machine, and authentication passphrases or private keys never go over the network.

By default, Tectia Server for IBM z/OS allows agent forwarding. To deny agent forwarding, set the AllowAgentForwarding or ForwardAgent keyword in the sshd2_config configuration file to no.