Even the yubikey suggestion is suspect. A hardware token can protect access to your private keys by firewalling them on the "first system", which the agent is doing already. And enabling agent support on a remote device is, if anything, only opening new attack vectors; it's improving convenience and not security (the remote system has no way to validate that the hardware is in use, it just knows from ssh key pairs). It's not a bad suggestion, but it's not meaningfully different than just using ssh-agent as intended.
Then it goes on and explains how to use ControlMaster to evade the physical access validation granted by the key! I mean... why even bother with the key in the first place?
ControlMaster itself is a bad idea generically unless you really know what you're doing, because the original connection process needs to stay alive until the last child connection exits. Hands up, all of us who ever inexplicably hung cron jobs and other automated systems by doing interactive stuff at the wrong moment. I know I have. (To be clear: it's still useful as a performance enhancement for remote work, but you absolutely have to know what you're doing and script it carefully. It shouldn't appear like this in a default config line.)
Similarly CanonicalizeHostnames is a recipe for collision with your DNS. If a name doesn't work the way you want it to you need to fix the naming and not just decide to speak a new language.
> but it's not meaningfully different than just using ssh-agent as intended.
Expect for where the key is stored. How much difference that makes depends on the use-case. For a developer laptop with a passphrase protected key? Not much of a difference.
ControlMaster is great for development too. That should have been prefixed with that caveat.
In fact, it seems that all recommendations are from the point of view of a developer, not automation. That would be a bad idea for automated systems, as you point out.
Yes, its from the standpoint of me, as a developer, using these things to improve my own workflow... not to use to automate stuff.
Even the control master thing, I mentioned it goes against the purpose of the yubikey, but then I explain how I use it only for github and only for a few seconds to prevent having to touch the key nonstop when updating nvim plugins and such... IMHO its a good tradeoff...
I would dearly like to have a way to unlock keys on the remote host with my local yubikey. I generate one key for every (user, host, remoteHost) tuple, so when I'm SSH-ed into a remote host, I can't use keys from that remote host to make further connections unless I use a passphrase.
