What’s the authentication agent forwarding for?
Let’s start showing what
man ssh says about it:
-AEnables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file. Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent’s UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.
It tries to solve the following problem:
Laptop -> Server A -> Server B
User wants to connect to Server A and from Server A to Server B forwarding all authentication requests to Laptop.