Feeling less paranoid about ssh agent forwarding

If you forward your ssh agent to another machine, it is possible for a root user on that machine (or somebody logged in as you) to steal your ssh agent and use it for logging into machines you have ssh keys in your agent for.

A little known option to recent versions of OpenSSH's ssh-add utility is -c. This forces the ssh-agent to prompt you before allowing the key to be used. Note, this requires that your ssh-agent have access to a valid $DISPLAY, and an ssh-askpass program.

ssh-askpass-gnome

If you love your ssh agents, you might be interested in ssh-xfer written by Matt Johnston.

dagobah@ucc