diff --git a/Makefile b/Makefile
index 672c6b7..7951c31 100644
--- a/Makefile
+++ b/Makefile
@@ -10,6 +10,8 @@ reinstall:
 	install -Dm755 src/ykfde-enroll "$(DESTDIR)/usr/bin/ykfde-enroll"
 	install -Dm755 src/ykfde-format "$(DESTDIR)/usr/bin/ykfde-format"
 	install -Dm755 src/ykfde-open "$(DESTDIR)/usr/bin/ykfde-open"
+	install -Dm755 src/ykfde-ssh "$(DESTDIR)/usr/bin/ykfde-ssh"
+	install -Dm755 src/ykfde-shell "$(DESTDIR)/usr/share/yubikey-full-disk-encryption/utils/shells/ykfde_shell"
 	install -Dm644 README.md "$(DESTDIR)/usr/share/doc/ykfde/README.md"
 test:
 	./testrun.sh
diff --git a/PKGBUILD b/PKGBUILD
index 5d6381c..29ef8de 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -7,7 +7,7 @@ arch=('any')
 url='https://github.com/agherzan/yubikey-full-disk-encryption'
 license=('Apache')
 depends=('yubikey-personalization' 'cryptsetup' 'udisks2' 'expect')
-optdepends=('ykchalresp-nfc: NFC support')
+optdepends=('ykchalresp-nfc: NFC support' 'netcat: SSH support' 'mkinitcpio-dropbear: SSH support')
 makedepends=('git')
 backup=('etc/ykfde.conf')
 source=('git+https://github.com/agherzan/yubikey-full-disk-encryption.git')
diff --git a/src/hooks/ykfde b/src/hooks/ykfde
index e996a24..d8eb166 100644
--- a/src/hooks/ykfde
+++ b/src/hooks/ykfde
@@ -4,6 +4,7 @@
 # set default values:
 DBG=""
 YKFDE_CONFIG_FILE="/etc/ykfde.conf"
+YKFDE_SSH=""
 YKFDE_NFC=""
 YKFDE_DISK_UUID=""
 YKFDE_LUKS_NAME=""
@@ -149,6 +150,8 @@ ykfde_do_it() {
   _rc=$?
 
   if [ "$_rc" -eq 0 ]; then
+    touch /.done
+    killall dropbear
     message "   Decryption was successful."
     if [ "$YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP" ] && [ "$YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP" -gt 0 ]; then
       [ "$DBG" ] && message " > Making $YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP sleep."
@@ -189,7 +192,7 @@ ykfde_challenge_response() {
   _starttime="$(date +%s)"
   message " > Waiting $_yubikey_timeout_str for YubiKey..."
 
-  while [ -z "$_yubikey_detected" ] && [ -z "$_yubikey_nfc_detected" ]; do
+  while [ -z "$_yubikey_detected" ] && [ -z "$_yubikey_ssh_detected" ] && [ -z "$_yubikey_nfc_detected" ]; do
     _endtime="$(date +%s)"
     _usedtime=$((_endtime - _starttime))
     [ "$DBG" ] && message "   (used time:$_usedtime, timeout:$_yubikey_timeout) 'ykinfo -$YKFDE_CHALLENGE_SLOT': "
@@ -198,6 +201,11 @@ ykfde_challenge_response() {
     [ "$DBG" ] && message "[$_rc] '$_tmp'"
     if [ "$_rc" -eq 0 ]; then
       _yubikey_detected=1
+    elif [ "$YKFDE_SSH" ]; then
+      ss -Htln
+      if [ -n "$(ss -Htln 'sport :9000')" ]; then
+        _yubikey_ssh_detected=1
+      fi
     elif [ "$YKFDE_NFC" ]; then
       [ "$DBG" ] && message "   (used time:$_usedtime, timeout:$_yubikey_timeout) 'ykchalresp-nfc -n': "
       _tmp="$(ykchalresp-nfc -n 2>&1)"
@@ -239,6 +247,14 @@ ykfde_challenge_response() {
     done
   fi
 
+  if [ -n "$_yubikey_ssh_detected" ]; then
+    message "   Trying to perform challenge-response over SSH..."
+    while [ -z "$_ykfde_response" ]; do
+      sleep 0.5
+      _ykfde_response="$(printf '%s\n' "$YKFDE_CHALLENGE" | nc 127.0.0.1 9000 | tr -d '\n')"
+    done
+  fi
+
   if [ -n "$_yubikey_nfc_detected" ]; then
     while [ -z "$_ykfde_response" ]; do
       [ "$DBG" ] && message "   Running: 'ykchalresp-nfc -$YKFDE_CHALLENGE_SLOT $YKFDE_CHALLENGE'..."
diff --git a/src/install/ykfde b/src/install/ykfde
index a68ee8d..f55e57d 100644
--- a/src/install/ykfde
+++ b/src/install/ykfde
@@ -41,6 +41,16 @@ build() {
   add_file "/etc/ykfde.conf" "/etc/ykfde.conf"
   add_file "/usr/lib/ykfde-suspend/initramfs-suspend" "/ykfde-suspend" 755
 
+  # ssh support
+  if [ "$YKFDE_SSH" ]; then
+      add_binary "nc"
+      add_binary "ss"
+      add_binary "/usr/share/yubikey-full-disk-encryption/utils/shells/ykfde_shell" "/bin/ykfde_shell"
+
+      echo 'root:x:0:0:root:/root:/bin/ykfde_shell' > "${BUILDROOT}"/etc/passwd
+      echo '/bin/ykfde_shell' > "${BUILDROOT}"/etc/shells
+  fi
+
   # nfc support
   if [ "$YKFDE_NFC" ]; then
     # serial drivers for nfc
diff --git a/src/ykfde-ssh b/src/ykfde-ssh
new file mode 100644
index 0000000..82fa0e0
--- /dev/null
+++ b/src/ykfde-ssh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+ncat -c 'read challenge; /bin/ykchalresp -2 "$challenge";' -l 9000 &
+NCAT_PID=$!
+ssh "root@$1" -R 127.0.0.1:9000:127.0.0.1:9000
+kill $NCAT_PID >/dev/null 2>&1
diff --git a/src/ykfde.conf b/src/ykfde.conf
index f1fb04e..6d66597 100644
--- a/src/ykfde.conf
+++ b/src/ykfde.conf
@@ -16,6 +16,9 @@
 
 ### OPTIONAL ###
 
+# Enable communication with YubiKey via SSH (Experimental).
+#YKFDE_SSH="1"
+
 # Enable communication with YubiKey via NFC (Experimental).
 #YKFDE_NFC="1"
 
diff --git a/src/ykfde_shell b/src/ykfde_shell
new file mode 100644
index 0000000..79a59e1
--- /dev/null
+++ b/src/ykfde_shell
@@ -0,0 +1,5 @@
+#!/bin/sh
+echo "Trying to unlock using YubiKey via SSH..."
+while [ ! -f /.done ]; do
+    sleep 0.5
+done