diff --git a/ansible/roles/ldap_client/handlers/main.yaml b/ansible/roles/ldap_client/handlers/main.yaml
index 8121eba..9b294fc 100644
--- a/ansible/roles/ldap_client/handlers/main.yaml
+++ b/ansible/roles/ldap_client/handlers/main.yaml
@@ -3,3 +3,7 @@
     name: sssd
     state: restarted
 
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted
diff --git a/ansible/roles/ldap_client/tasks/main.yaml b/ansible/roles/ldap_client/tasks/main.yaml
index f1043dd..7f17861 100644
--- a/ansible/roles/ldap_client/tasks/main.yaml
+++ b/ansible/roles/ldap_client/tasks/main.yaml
@@ -1,3 +1,4 @@
 - import_tasks: install.yaml
 - import_tasks: authselect.yaml
 - import_tasks: nsswitch.yaml
+- import_tasks: sshd.yaml
diff --git a/ansible/roles/ldap_client/tasks/sshd.yaml b/ansible/roles/ldap_client/tasks/sshd.yaml
new file mode 100644
index 0000000..bc72022
--- /dev/null
+++ b/ansible/roles/ldap_client/tasks/sshd.yaml
@@ -0,0 +1,14 @@
+- name: Ensure sshd has AuthorizedKeysCommand
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^AuthorizedKeysCommand'
+    line: 'AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys'
+  notify: restart sshd
+
+- name: Ensure sshd has AuthorizedKeysCommandUser
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^AuthorizedKeysCommandUser'
+    line: 'AuthorizedKeysCommandUser nobody'
+  notify: restart sshd
+