On Fri, Oct 07, 2011 at 09:30:00AM -0600, Kevin Fenzi wrote:
One possible compromise: go ahead and use ssh agent forwarding, but
after you login, do a 'ssh-add -D' to drop all your keys. Then, when/if
you need to make a copy connection it should ask for your passphrase to
unlock the key again. If someone tries to hyjack your agent connection,
you would see the request to unlock the key and could reject it.
To eliminate the race condition after login, the necessary key could be
added with "ssh-add -c". This makes the agent ask for confirmation
before using a key for authentication.