> Not every org's policy allows adding unaudited ad-hoc SSH keys.
Then audit them and get them in the process. Agent forwarding is too big of a risk.
> Definitely not always, if the hosts you store these keys on are not as hardened as you local machine (or a hardware key connected to it).
Once you use agent forwarding, the keys are no longer protected on your local machine. (Ironically, this RCE is precisely because of the requirement to whitelist hardware keys!)
> [...] only takes a moment [...]
Not every org's policy allows adding unaudited ad-hoc SSH keys.
> [...] much, much safer [...]
Definitely not always, if the hosts you store these keys on are not as hardened as you local machine (or a hardware key connected to it).
reply