I'm inclined to recommend against using `ssh-agent`. I suggest using ProxyCommand instead and I, myself, use that probably 50 times a day every day.<p>I have dozens of servers running Linux and FreeBSD that, naturally, have `sshd` enabled for remote access. Even though (almost) all of my servers have public IP addresses, there are only three of them accessible via SSH from "the world" -- two OpenBSD hosts and one RHEL host.<p>The two OpenBSD machines are "jumpboxes": their only purpose is to serve as a gateway into the network and to all of the other servers. Instead of SSH'ing into one of them and then SSH'ing out to the actual machine I want to log into, I make heavy use of "ProxyCommand" in my $HOME/.ssh/config so that I can just run, e.g. "ssh mx-out". An SSH connection to one of the jumpboxes is established and, through that, a connection to the actual server is then made. Since I use keys for authentication, I don't have to enter my password or passphrase twice (or even once) and the "magic" is completely transparent to the user once it's initially set up.<p>The RHEL host (which I've hardened as much as possible) is for web hosting customers to connect to in order to upload/download files into their web space. It is not a web server, itself, but it is an NFS client so that customers don't need to log into the actual web servers themselves.
This is a good setup, I had similar years ago to deal with screen.<p>One general word of warning with ssh-agent: Only use -A to forward it to another host that you completely trust, as anyone with root on that machine will be able to use your private keys.