This is a copy of Apple's OpenSSH 5.6p1 that is bundled with OS X 10.7, plus a modification to add a RequireKeyConfirmation option. This no longer includes the AddKeysToAgent option modification, as it is no longer needed.
With RequireKeyConfirmation set to yes in ~/.ssh/config, any identities added to ssh-agent will require confirmation before use. Combined with the included cocoa-ssh-askpass wrapper around CocoaDialog, a GUI dialog will be presented when SSH tries to use an unlocked identity stored in the agent. This applies to SSH spawned from a terminal (directly or through things like git), from a forwarded agent, and from any GUI program that uses it in the background to setup tunnels like Sequel Pro.
More information about agent confirmation can be read at http://jcs.org/macssh.
Run xcodebuild from the top directory.
sudo xcodebuild install will install it into /tmp/openssh.dst as usual. Overlay this directory on to / with sudo rsync -av /tmp/openssh.dst/. /.. Avoid directly installing into / by overriding DSTROOT because of some scary recursive chmods and chowns that the XCode build script does (from Apple).
Download and install CocoaDialog to /Applications/Utilities. The cocoa-ssh-askpass wrapper that is installed as /usr/libexec/ssh-askpass will look for CocoaDialog at /Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog.
At the first SSH connection, the usual secure input window will appear asking for the key passphrase. Leave the "Remember password in my keychain" option unchecked. If RequireKeyConfirmation is set to yes, on the next SSH connection, /usr/libexec/ssh-askpass will be invoked to prompt for confirmation.