@madargon I wonder whether the extensions that allow one to somewhat limit agent forwarding can be helpful here. (After all, if one limits agent forwarding to only be used to authenticate to host foo, then something somewhere has to be able to evaluate this predicate.)