Is my private key safe if I use authenticaiton agent forwarding with the ssh -A option?

Question

I love the option to connect to servers via SSH with the -A option, so I can use my private keys on the server.

This lets me update git/svn repositories and connect to other servers without the need of uploading the private key to the server.

Awesome!

But how does it work?

My concern is that the private key is temporary accessible on the server. And if the server is compromised, or another user is logged in as root somehow, it could be accessed.

Is that the case?

I examined the content of /tmp where a folder named ssh-something is present with a socket named ssh-something inside.

This gives me hope that the necessary handshake requests are passed on to my local machine, and are processed/signed there and my private key does not actually ever leave my local machine.

Is that the case?

Answer 1

Sorry for asking before reading...

From man ssh

Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key mate‐ rial from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.