diff --git a/roles/ssh_server/tasks/main.yaml b/roles/ssh_server/tasks/main.yaml
index 1902679..a182a17 100644
--- a/roles/ssh_server/tasks/main.yaml
+++ b/roles/ssh_server/tasks/main.yaml
@@ -111,6 +111,13 @@
     regexp: '^TrustedUserCAKeys *'
   notify: restart ssh
 
+- name: permit root login only with certificate
+  lineinfile:
+    line: 'PermitRootLogin without-password'
+    dest: '/etc/ssh/sshd_config'
+    regexp: '^PermitRootLogin *'
+  notify: restart ssh
+
 - meta: flush_handlers
 
 - name: "waiting for ssh on {{ ansible_docker_extra_args | default(inventory_hostname) }} to start"