diff --git a/roles/sysconfig/tasks/main.yml b/roles/sysconfig/tasks/main.yml
index 69182767f07996b83dd7e7f10c8ab33ba03d67b1..21a1dea037cdc1a0ccc51d06f556a2775e2e3f94 100644
--- a/roles/sysconfig/tasks/main.yml
+++ b/roles/sysconfig/tasks/main.yml
@@ -96,7 +96,18 @@
     backup: true
   notify: restart unattended-upgrades
 
-- name: enable root login via ssh with key
+- name: verify root user ssh authorized key file
+  ansible.builtin.stat:
+    path: /root/.ssh/authorized_keys
+  register: auth
+
+- name: fail if the root ssh authorized key is missing or empty
+  ansible.builtin.fail:
+    msg: "Error: root user does not have any ssh key configured !\n\
+          Cannot configure PermitRootLogin to without-password"
+  when: not auth.stat.exists or auth.stat.size == 0
+
+- name: enable root login via ssh with key only
   ansible.builtin.replace:
     dest: /etc/ssh/sshd_config
     regexp: ^#?PermitRootLogin.*