Comment Re:who is doing this? (Score 1) 212
A nice solution I use for myself (home and work) is to use the ssh-agent distributed with GnuPG. I have an OpenPGP card (http://g10code.com/p-card.html) which holds my private key and cannot be retrieved. The card itself is PIN protected. I don't have to worry about my private key ever showing up in the filesystem or backups.
This works nicely with the -A option to ssh, which sets up a control channel back to the authentication agent on my desktop. I can ssh to server A, then ssh from A to B using my local smart card. If I'm ssh'd to server A and need to leave my desk, I can unplug the card and immediately break the authentication chain.
If I were setting up an SSH scheme in a large organization, this would be my first line of defense.