diff --git a/modules/programs/ssh.nix b/modules/programs/ssh.nix
index e062b2324..3420056e1 100644
--- a/modules/programs/ssh.nix
+++ b/modules/programs/ssh.nix
@@ -351,7 +351,7 @@ in {
 
     forwardAgent = mkOption {
       default = false;
-      type = types.bool;
+      type = types.nullOr types.bool;
       description = ''
         Whether the connection to the authentication agent (if any)
         will be forwarded to the remote machine.
@@ -533,7 +533,10 @@ in {
         '') ++ (map (block: matchBlockStr block.name block.data) matchBlocks))}
 
       Host *
-        ForwardAgent ${lib.hm.booleans.yesNo cfg.forwardAgent}
+        ${
+          optionalString (cfg.forwardAgent != null)
+          "ForwardAgent ${lib.hm.booleans.yesNo cfg.forwardAgent}"
+        }
         AddKeysToAgent ${cfg.addKeysToAgent}
         Compression ${lib.hm.booleans.yesNo cfg.compression}
         ServerAliveInterval ${toString cfg.serverAliveInterval}
@@ -554,3 +557,4 @@ in {
         cfg.matchBlocks);
   };
 }
+
diff --git a/tests/modules/programs/ssh/default.nix b/tests/modules/programs/ssh/default.nix
index c5e175995..8b3998275 100644
--- a/tests/modules/programs/ssh/default.nix
+++ b/tests/modules/programs/ssh/default.nix
@@ -3,6 +3,7 @@
   ssh-includes = ./includes.nix;
   ssh-match-blocks = ./match-blocks-attrs.nix;
   ssh-match-blocks-match-and-hosts = ./match-blocks-match-and-hosts.nix;
+  ssh-forwardAgent-null-config = ./forwardAgent-null-config.nix;
 
   ssh-forwards-dynamic-valid-bind-no-asserts =
     ./forwards-dynamic-valid-bind-no-asserts.nix;
diff --git a/tests/modules/programs/ssh/forwardAgent-null-config.nix b/tests/modules/programs/ssh/forwardAgent-null-config.nix
new file mode 100644
index 000000000..2762b9863
--- /dev/null
+++ b/tests/modules/programs/ssh/forwardAgent-null-config.nix
@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  config = {
+    programs.ssh = {
+      enable = true;
+      forwardAgent = null;
+    };
+
+    home.file.assertions.text = builtins.toJSON
+      (map (a: a.message) (filter (a: !a.assertion) config.assertions));
+
+    nmt.script = ''
+      assertFileExists home-files/.ssh/config
+      assertFileContent home-files/.ssh/config ${
+        ./forwardAgent-null-expected.conf
+      }
+      assertFileContent home-files/assertions ${./no-assertions.json}
+    '';
+  };
+}
diff --git a/tests/modules/programs/ssh/forwardAgent-null-expected.conf b/tests/modules/programs/ssh/forwardAgent-null-expected.conf
new file mode 100644
index 000000000..4c129508f
--- /dev/null
+++ b/tests/modules/programs/ssh/forwardAgent-null-expected.conf
@@ -0,0 +1,15 @@
+
+
+Host *
+
+  AddKeysToAgent no
+  Compression no
+  ServerAliveInterval 0
+  ServerAliveCountMax 3
+  HashKnownHosts no
+  UserKnownHostsFile ~/.ssh/known_hosts
+  ControlMaster no
+  ControlPath ~/.ssh/master-%r@%n:%p
+  ControlPersist no
+
+