diff --git a/roles/sysconfig/handlers/main.yml b/roles/sysconfig/handlers/main.yml
index ee9f0c9a1d6b3920e28c30cb1e2d328257eeb0f8..8a44608f001486e8f4ae6d9a5131313146fa91a2 100644
--- a/roles/sysconfig/handlers/main.yml
+++ b/roles/sysconfig/handlers/main.yml
@@ -12,6 +12,11 @@
     name: cron
     state: restarted
 
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted
+
 - name: update cache
   apt:
     force_apt_get: true
diff --git a/roles/sysconfig/tasks/main.yml b/roles/sysconfig/tasks/main.yml
index fbc1a3450d056b55adcbc7d9d55d2b204b18dd30..4b0dbe3604c12465c7f5fef54fc13148e76cc227 100644
--- a/roles/sysconfig/tasks/main.yml
+++ b/roles/sysconfig/tasks/main.yml
@@ -20,6 +20,19 @@
       APT::Periodic::Update-Package-Lists "1";
       APT::Periodic::Unattended-Upgrade "1";
 
+- name: enable root login via ssh with key
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
+    replace: "PermitRootLogin without-password"
+  notify: restart sshd
+
+- name: remove disabled root login
+  replace:
+    dest: /root/.ssh/authorized_keys
+    regexp: "^no-port-forwarding,(.+) ssh-"
+    replace: "ssh-"
+
 # FIREWALL
 
 - name: firewall