diff --git a/etc/ssh/ssh_config b/etc/ssh/ssh_config
index 6f7667d2..2f32b37d 100644
--- a/etc/ssh/ssh_config
+++ b/etc/ssh/ssh_config
@@ -15,7 +15,10 @@ Host *
     # closed.
     ControlPersist yes
 
+    # SSH Agent forwarding is behind a lot of security breaches, never do it
+    # Most recently https://github.com/matrix-org/matrix.org/issues/371
     ForwardAgent no
+    # Never do that either https://security.stackexchange.com/a/14817/234532
     ForwardX11 no
 
     # Debian sets this as yes, upstream no. TODO: What is it?