Hello, The documentation of 'ssh -A' does not mention that the risks can be somewhat mitigated by using the '-c' option of 'ssh-add'. In my experience, people are unaware of the '-c' option, so I suggest to point to it from the documentation of '-A': Index: ssh.1 =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh.1,v retrieving revision 1.345 diff -u -r1.345 ssh.1 --- ssh.1 19 Apr 2014 18:42:19 -0000 1.345 +++ ssh.1 2 May 2014 20:14:18 -0000 @@ -121,6 +121,11 @@ An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. +Using the +.Fl c +flag of +.Xr ssh-add 1 +can reduce (but not eliminate) the risk. .It Fl a Disables forwarding of the authentication agent connection. .It Fl b Ar bind_address I'm not married to the specific text in the patch; I'd just like the documentation of -A to contain a crossref to -c. Cheers, Daniel _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev