diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix
index 59ee2fec949be247143041379626f35b7d8bf657..667bdd26215b4e0978781244741dd4c5313cefbd 100644
--- a/nixos/modules/ssh.nix
+++ b/nixos/modules/ssh.nix
@@ -37,6 +37,10 @@
         # password-based authentication at all.
         PermitEmptyPasswords no
 
+        # Agent forwarding is fraught.  It can be used by an attacker to
+        # leverage one compromised system into more.  Discourage its use.
+        AllowAgentForwarding no
+
         # Only allow authentication as one of the configured users, not random
         # other (often system-managed) users.  Possibly this is also
         # superfluous!  NixOS system users have nologin as their shell ... so they