Quoting Trent W. Buck (trentbuck@gmail.com):
That sounds like the user leaves private keys on intermediary hops (cf. -oProxyCommand or -oForwardAgent, which have different attack profiles).
A commendable tactic to eliminate risk from SSH gateways. In case you haven't seen it: http://chainssh.sourceforge.net/ Also worthy of note: https://www.ibm.com/developerworks/linux/library/l-keyc3/ My point concerned anywhere the user _does_ for whatever reason feel a need to house private keys. Even professional paranoics (sysadmins) tend to find themselves unable to restrict ssh/scp connections strictly to ones outbound from the Sanctum Sanctorum host, and have private keys reside _only_ there. -- Cheers, "Overheard a hipster say 'Quinoa is kind of 2011', Rick Moen so I lit his beard on fire." -- Kelly Oxford rick@linuxmafia.com McQ! (4x80)