Authenticate sudo commands executions over a remote SSH connection


I’m planning to use a Nitrokey (I should receive a Nitrokey 3C NFC this month) to authenticate my SSH session and remote sudo. I want to avoid using the pam_ssh_agent_auth for sudo authentication. Yubikey has a PAM module that reads the string sent by the device (HID keyboard) and processes it using a connection to a remote server they host. This solution is interesting, but I would prefer to self-host the authentication server if one is needed, and use a Nitrokey. I have looked at pam_google_authenticator, which may be a solution for me if the Nitrokey can send a compatible OTP.

My requirement is to deploy SSH and sudo authentication using Debian packaged tools, if possible, and avoiding forwarding anything from the SSH client.

Do you have any feedback or ideas on how to accomplish this? Best regards.