https://firstlook.org/theintercept/2014/12/13/belgacom-hack-...
Active attacks allow access to the keys, and once the attackers have the keys, unless the PFS is properly used, the old captured streams are readable. But often it's even easier to read the documents on the attacked machine directly.
Still, all this was known before the material we comment now. Which doesn't mean we should let PFS remain unused or wrongly used as it is now and that we shouldn't try to protect us from the active attacks.
If we worry about the decryption of our SSH traffic, do we properly use PFS? What do we do to prevent or detect active attacks?