diff --git a/roles/kerberize/handlers/main.yml b/roles/kerberize/handlers/main.yml
index d0a508b..3ac7e3e 100644
--- a/roles/kerberize/handlers/main.yml
+++ b/roles/kerberize/handlers/main.yml
@@ -2,5 +2,4 @@
   systemd:
     name: sshd
     state: reloaded
-  notify: "reload sshd"
   when: not run_in_installer|default(false)|bool
diff --git a/roles/lmn_security/handlers/main.yml b/roles/lmn_security/handlers/main.yml
new file mode 100644
index 0000000..d9d12b9
--- /dev/null
+++ b/roles/lmn_security/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: Reload sshd
+  systemd:
+    name: sshd
+    state: reloaded
diff --git a/roles/lmn_security/tasks/main.yml b/roles/lmn_security/tasks/main.yml
index 7ddb591..3ce31d5 100644
--- a/roles/lmn_security/tasks/main.yml
+++ b/roles/lmn_security/tasks/main.yml
@@ -5,7 +5,7 @@
     key: "{{ item }}"
   loop: "{{ keys2deploy }}"
 
-- name: Allow sudo access without password
+- name: Allow sudo without password for ansible
   ansible.builtin.lineinfile:
     path: /etc/sudoers.d/95-lmn-ansible
     line: 'ansible ALL=(root) NOPASSWD: ALL'
@@ -18,3 +18,12 @@
   ansible.builtin.user:
     name: ansible
     password_lock: True
+
+- name: Limit SSH access to user ansible
+  ansible.builtin.blockinfile:
+    dest: /etc/ssh/sshd_config.d/local.conf
+    create: true
+    block: |
+      PasswordAuthentication no
+      AllowUsers ansible
+  notify: Reload sshd