In my daily blog reading a week or so ago, I stumbled on Jon Hart's blog. In it, he notes the facts that root can read any file whatsoever on a *nix system and that ssh agent forwarding is accomplished using unix sockets. The corollary to this is that root (or someone with access to your account) can steal your password-protected ssh keys after you decrypt them.
Having used key-based authentication on a regular basis myself, this got me to thinking about other possibilities for an unrestricted user. As it turns out, if a user can read someone else's private key file, one can authenticate with it. Long story short, I've modified Jon's code to also search out non-password-protected keyfiles and attempt to abuse them.