[willbicks]

I prefer using hardware tokens (in most cases a PKCS#11 smart card) because it means that even with a forwarded SSH agent, every request to use my private key requires a PIN on my client which is verified by the isolated cryptographic processor. It's impossible for my private key to leave that card and get cached anywhere else. While I haven't enabled it on my Yubikey I understand they can do similar.

The downside is that compatibility in edge cases, while much better than I'd expect, is still not perfect. In particular Windows support outside of Putty gets challenging.

[gorkish]

The RCE is related to ssh-agent's support for PKCS#11, so, yeah you are right this is a valid method to prevent key access or theft via the agent (I also have to approve every use of my PK), but in this case it's not protecting against the RCE, and the workaround in the meantime is to disable PKCS#11 `ssh-agent -P ''`

[toast0]

The other downside is it's much harder to do bulk operations against a fleet. It's not reasonable to enter a PIN for each access when you need to push something to 1000 nodes. 100 nodes is probably ok, but not great.

[throwawaaarrgh]

or you could just use the -c option to ssh-add and be prompted every time the key is handed over

[gunapologist99]

That won't save you for this RCE!

[themoonisachees]

It will save his keys though. It's a start.

[gunapologist99]

It is a start, true, but it's already game over: if I can execute code on your box, then the keys are the least of the treasures I've uncovered.

I can initiate connections, keylog, request or hide confirmations, steal all your other data, piggyback on your authorized SSH connections, etc.

[aidenn0]

ssh-agent forwarding does have some use cases with hardware keys. However, most people aren't using hardware keys.