Skip to content

Instantly share code, notes, and snippets.

Johannes Mueller johannes-mueller

Block or report user

Report or block johannes-mueller

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
johannes-mueller /
Last active Jan 21, 2020
Sudo authentication and decryption on remote hosts by forwarding local gpg agents.

Use your NitroKey for sudo authentication on remote hosts

Sometimes it feels odd to type passwords for sudo authentication on remote hosts. It would be much more comfortable to just use your hardware key like a Nitrokey Start or Nitrokey Pro. The following setup has been tested with a NitroKey Pro 2 and NitroKey Start.

The trick is to forward the gpg agent from your local machine, where you plug your hardware key to your remote host via ssh socket forwarding. Then we can use the key in our NitroKey to decrypt and authenticate on the remote host.


If you use an ssh-agent and this setup to login to your remote servers and get root access there, the same can be done by an attacker who succeeds to own your local machine. So an attacker getting access to your laptop with your user privileges can just wait until you plugin your Hardware Key and unlock it. Then they can lo


Keybase proof

I hereby claim:

  • I am johannes-mueller on github.
  • I am johmue ( on keybase.
  • I have a public key whose fingerprint is C868 6D50 DBF1 C749 EE24 7314 4ED9 F210 3BD1 5CE4

To claim this, I am signing this object:

You can’t perform that action at this time.