My biggest problem with any of these approaches, besides the inconvenience,
is they eliminate the opportunity for secure, automated batch processes. I
have various cron jobs that fire off automatically, connect to different
servers, do reports/extracts/whatever, and so on. For that, AFAIK, you need
to store your keys in the filesystem.
Correct me if I'm wrong, but as long as your private key is chmod 600, the
only way it will be compromised is if your local workstation gets rooted.
If that happens, ssh-agent itself can be quickly trojaned with a compromised
copy that collects passwords. Likewise, if you're just using
passphrase-encrypted keys, ssh and cvs themselves are both compromised on a
rooted box...so what's the difference? Or am I missing something?