I find it hard to live without Keychain on my workstations. It makes adding and managing keys for ssh-agent a no-brainer. But along with that ease of use comes a risk: as long as the key(s) have been decrypted then anyone that gains access to your account can access the same systems you can with your keys.
When I remembered, I would use ’ssh-add -x’ to lock the agent if I knew I would be away for while, but that has obvious problems for someone with a memory such as mine, it also doesn’t protect from an intruder accessing the system unbeknownst even while you are using it.
This is exactly what the ‘–clear’ option for Keychain solves. It adds a bit of an inconveniece to the user as he or she now needs to enter the password for the key(s) every time a new session is started, but it will prevent any unauthorized guests from accessing your unencrypted private keys.
