Well, here is a bit of a verbose solution to my problem. Agent-forwarding is controlled by the SSS_AUTH_SOCK variable, and this needs to be passed through to sudo: sudo env SSH_AUTH_SOCK=$SSH_AUTH_SOCK ssh <user>@C ls -la I suppose one can do something similar in sudoers to ensure this variable is always passed through. -i