Secure Administration Of Servers And IoT With SSH

Phishing attacks and lack of two-factor authentication (2FA) are among the most common reasons for successful attacks on corporate networks. System administrators use either passwords or keys to access servers via SSH. Keys cannot be guessed, but key files can be stolen as easily as passwords (e.g. by malware). When using Nitrokey, SSH keys are securely stored in the Nitrokey instead.

Manage your servers, critical infrastructures and the Internet of Things (IoT) not only securely, but also more easily. Your administrators no longer need to synchronize key files between their desktops or enter complex passwords. Nitrokey acts as a physical key for SSH access to your servers and can be used flexibly on any desktop.


  • High security of your infrastructure through two-factor authentication
  • Easier to use as passwords and as synchronization of key files
  • The PIN of the Nitrokey must only be entered during the first access. All subsequent accesses will be automatic until the Nitrokey is removed.
  • No long passwords required; a short PIN is sufficiently secure.
  • Like an office or front door key, the Nitrokey is always there and can be used on Windows, macOS and Linux.
  • Compatible with all SSH servers without software changes.

Central User and Key Management

The distribution of the public SSH keys to your servers can be carried out unchanged using established methods (e.g. Puppet, Chef, Ansible). Alternatively we recommend Theo and PrivacyIDEA. Theo is a lightweight system specially designed for SSH. PrivacyIDEA is a comprehensive two-factor authentication system. Both systems consist of a central server and decentralized agents, which are installed on the servers to be administered. Users and public keys are managed centrally. The agents are responsible for distributing this information.

PrivacyIDEA also simplifies the personalization (key generation and configuration) of a large number of Nitrokeys. The nitrokeys are personalized one after the other without user interaction. PrivacyIDEA can be operated as a dedicated roll-out station for this purpose.


This video shows that the PIN is queried during the first SSH access and that subsequent SSH accesses take place without further PIN queries.


Contact  Shop  Documentation