SSH ed25519-sk hardware keys vs forwarded agents: when to forward, when to use a YubiKey and refuse forwarding
Most “hopping through bastion” SSH workflows use agent forwarding (ssh -A): the bastion gets temporary access to your local SSH keys via the agent socket, and from there it can SSH onward. It’s convenient, it’s the default in …