And then losing the advantage of ControlPersist; the ideal would be to have an always-on ControlMaster, but that would also be restarted once ServerAliveInterval*ServerAliveCountMax expires.
> If a root user is able to convince his ssh client to use another user's agent, root can impersonate that user on any remote system which authorizes the victim user's public key.
Yes, root can also simply `su - user` and then do all stuff you do.
But you should also not put YOUR private keys on a system that has a root user who should not have access YOUR keys.
> The problem with ssh-agent defaults is that someone with root on the server you're SSH'd into can use your SSH private key (which is on your local machine).
> ssh-agent is like temporarily uploading your private key to each remote server logged into.
That is very different (and much more common) than an attacker having root on your local machine.
This is not how it is meant.
When you use AutoSSH/SSH and need to enter a password for your key anytime you do a connection (which probably happens every 10min as a system engineer/admin/etc) it is probably useless.
I have many different SSH keys, each with different long passwords.
What u are looking for is `ssh-agent` which can take care of all the password handling.
Also unattended rsync (over ssh) backups rely on no user interaction at all.
On top of that, you can always use a separate user for the tunnel that doesn't have a login shell. Obviously still a problem if someone gets the private keys but not nearly as much so, as they'll basically be limited to tunneling/forwarding.
