I'm also guilty of putting private keys on bastion, but not a private
key that gives access to anything else. I didn't want to do agent
forwarding (and thereby giving root@bastion access to jump around to
other systems I'm admining), and AFAIR I needed pubkey logins to jump
to puppet01.. So I created a set of keys for usage within the fedora
infrastructure. Maybe not optimal security-wise for fedora, but I didn't
quite see how I would be able to do this securely for all ("ssh-add -c"
being too cumbersome).
IMHO there's something lacking in the infrastructure policy. How are
people supposed to do authentication between f.ex. bastion and
puppet01? If we can't use passwords and can't have private-keys on
bastion -- do you require agent forwarding ? I think agent forwarding is
worse than keeping a private key on bastion, since it means a security
breach within fedora can easily spread to other systems I manage.
Time to implement kerberos/IPA or ssh host-authentication ?