SSH caches keys of ongoing sessions in /tmp. Root can hijack, SSH to machine (opens in new tab)

Someone discovered either "ssh-agent" or ssh agent forwarding.

I bet the next tweet from that account is: "Red Teamers: Check out ~/.ssh for user ssh keys! root user can hijack them and SSH to any machine the user can access"

Um. Yeah. That's kinda how that whole root thing works.