Security breach on Linux.com, LinuxFoundation.org

1. User rarely connects to the system at all. In this case storing even a passphrase-protected private key for that user increases your exposure, the bad guys can obtain the protected key and crack the passphrase at their leisure and unknown to you. SSH agents are clearly better here.

2. Users frequently connects, but rarely needs forwarding. In this case the SSH agent capability is probably exposed whenever they're connected, even though they aren't using it. Whereas a pass-phrase protected key would at least have the passphrase protecting it until they used it. I think on balance storing the key locally is no worse in this case. ‡

3. User frequently connects, frequently uses forwarding. In this case the private key, if it were stored, would very often be unlocked. The bad guys would certainly get the key and passphrase, and the passphrase may have been re-used elsewhere, increasing the impact. So SSH agents are much better here, although still dangerous.

‡ It is my opinion that OpenSSH or alternative clients could offer e.g. a middle setting between "ForwardAgent No" and "ForwardAgent Yes" of "ForwardAgent Ask" that might be useful here, then a SSH agent would once again be unquestionably the better option.

One thing where local keys win over SSH agents is if you have people with access to many disparate systems -- the SSH agent doesn't easily distinguish requests that make good sense (e.g. a request from CorpLoginBox for authentication to CorpDBServer) from those that seem unlikely and should be flagged (a request by PublicGitRepo for authentication to CorpDBServer). If ForwardAgent is permitted at all for a machine, then all your keys can be proxied through that machine. However most users don't have such a complicated setup, with multiple SSH identities and forwarding rules, for this to make any difference to them.

Cert auth isn't the solution to all the world's problems, but it completely neutralises password-guessing attacks which to my mind makes it worthwhile just for that. If the bad guys had to use a targeted attack on one of my colleagues, just so that they can successfully connect to a server, I think we're doing pretty well to have forced the bar that high early in the game.