In an active ssh session, it is possible to escape to an internal command processor using ~C. This may be used (mainly) to set up port forwarding. However, it would be useful if it were also possible to switch on (or off) agent forwarding this way. Indeed, for security reason, many users prefer not to allow agent forwarding most of the time, but may occasionally see a need to ssh from the current server to another server during the session using agent forwarding. Right now they have to open a new session to do so.
Created attachment 2082 [details] Allow agent forwarding to be toggled off I actually implemented this a long time ago as a toggle rather than the command line processor. The down side is that you'll get an error message from the remote end if you use it and then attempt to use agent forwarding: Error reading response length from authentication socket. Note that you can't toggle it on if it was not enabled at connection establishment since the server needs to set the SSH_AUTH_SOCK environment variable and have it propagate to the shell, which it can't do after the shell has started.
Actually, we could probably fix the error message by implementing just enough of the agent protocol to say "nope, no identities here, move along!".
The other thing you can do is load the key with ssh-add -c to require confirmation at the time of use.
This would be rather inconvenient if the command needing access to the key was something like: for arch in i386 x86_64 arm powerpc; do scp huge_source_tree.tar.gz $arch.linux.org: done You'd get a confirmation request for each machine. With a toggle switch, you'd give access before the loop, and remove access after.