I hereby claim:
- I am johannes-mueller on github.
- I am johmue (https://keybase.io/johmue) on keybase.
- I have a public key whose fingerprint is C868 6D50 DBF1 C749 EE24 7314 4ED9 F210 3BD1 5CE4
To claim this, I am signing this object:
Johannes Mueller johannes-mueller
johannes-mueller
/ gpg-card-remote.md
Last active
January 17, 2024 23:12
Sudo authentication and decryption on remote hosts by forwarding local gpg agents.
Sometimes it feels odd to type passwords for sudo authentication on remote hosts. It would be much more comfortable to just use your hardware key like a Nitrokey Start or Nitrokey Pro. The following setup has been tested with a NitroKey Pro 2 and NitroKey Start.
The trick is to forward the gpg agent from your local machine, where you plug your hardware key to your remote host via ssh socket forwarding. Then we can use the key in our NitroKey to decrypt and authenticate on the remote host.
If you use an ssh-agent and this setup to login to your remote servers and get root access there, the same can be done by an attacker who succeeds to own your local machine. So an attacker getting access to your laptop with your user privileges can just wait until you plugin your Hardware Key and unlock it. Then they can lo