Background: forwarding connections to ssh-agent is risky; if a server you ssh into is compromised (or if its administrator is malicious), someone could abuse your forwarded agent to authenticate as you.

One mitigation is to use `ssh-add -c` when adding keys to the agent, which causes the agent to prompt the user each time a key would need to be used.

Problem: for people who use ssh a lot, `ssh-add -c` is very inconvenient; it would be nice if we could be prompted only when a *remote* client tries to use our key, not for local clients. Unfortunately, ssh-agent can't differentiate between local and remote clients.

Proposal: have the user run two agents; one for local clients, one for remote ones. Keys would be added to the 2nd agent with `ssh-add -c`, but without `-c` to the 1st one. ssh clients started locally would use the local agent to authenticate; however, they would forward agent connections from remote servers to the 2nd agent.

The ForwardAgent ssh_config directive could be extended to support specifying a path to a socket in addition to the "yes" and "no" keywords, in the same way IdentityAgent does. IdentityAgent would point to the local agent socket (which doesn't prompt for key usage), and ForwardAgent would point to the other agent socket (which would require user confirmation when a remote client wishes to use a private key).