diff --git a/inventory/ffspveguests b/inventory/ffspveguests
index 3cca7f93025f2730149736c754246c492bc47bb3..d6c4f24964300f6ed2c0447a0e3cec0ce79775ff 100644
--- a/inventory/ffspveguests
+++ b/inventory/ffspveguests
@@ -71,3 +71,4 @@ ffspveguests:
     nrb-backbonetest2.vm.freifunk-stuttgart.de:
       ansible_ssh_host: 2a01:4f8:172:feff:be24:11ff:fe8b:8979
       ansible_ssh_user: root
+    test-ansible01.vm.freifunk-stuttgart.de:
diff --git a/roles/ssh/files/sshd-10-disable-password-auth.conf b/roles/ssh/files/sshd-10-disable-password-auth.conf
new file mode 100644
index 0000000000000000000000000000000000000000..861ba7473a5260da0b4fe41ac4b54713c476aee1
--- /dev/null
+++ b/roles/ssh/files/sshd-10-disable-password-auth.conf
@@ -0,0 +1,2 @@
+# ANSIBLE managed
+PasswordAuthentication no
diff --git a/roles/ssh/files/sshd-11-pubkeys-from-etc.conf b/roles/ssh/files/sshd-11-pubkeys-from-etc.conf
new file mode 100644
index 0000000000000000000000000000000000000000..e3b714190015e8ff404474dda18eea60261691bf
--- /dev/null
+++ b/roles/ssh/files/sshd-11-pubkeys-from-etc.conf
@@ -0,0 +1,5 @@
+# ANSIBLE managed
+AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
+Match User root
+	AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u /etc/pve/priv/authorized_keys
+
diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml
index 4c77b63b82b66ae6cf28cbd9f4731edba5d56f7d..0968ec0a62104e08f384fa75180fc3a7f8e39d01 100644
--- a/roles/ssh/tasks/main.yml
+++ b/roles/ssh/tasks/main.yml
@@ -1,9 +1,43 @@
 ---
+- name: Fail when no root public keys would be deployed
+  ansible.builtin.fail:
+    msg: No public keys would be deployed
+  when: "users_root|default([]) == [] and users_root_group|default([]) == []"
+
+- name: Ensure SSH dropin configuration file directory exists
+  ansible.builtin.file:
+    path: /etc/ssh/sshd_config.d
+    state: directory
+    mode: "0755"
+
 - name: Disable SSH password login
-  lineinfile:
-    regexp: "^#?PasswordAuthentication"
-    line: "PasswordAuthentication no"
-    path: /etc/ssh/sshd_config
+  ansible.builtin.copy:
+    dest: /etc/ssh/sshd_config.d/10-disable-password-auth.conf
+    mode: "0644"
+    src: sshd-10-disable-password-auth.conf
   notify:
     - restart ssh
   when: ssh_disable_password_login
+
+- name: Ensure SSH authorized keys directory exists
+  ansible.builtin.file:
+    path: /etc/ssh/authorized_keys.d
+    state: directory
+    mode: "0755"
+
+- name: Read public keys /etc and not from users home directory
+  ansible.builtin.copy:
+    dest: /etc/ssh/sshd_config.d/11-pubkeys-from-etc.conf
+    mode: "0644"
+    src: sshd-11-pubkeys-from-etc.conf
+  notify:
+    - restart ssh
+  when: ssh_disable_password_login
+
+- name: Authorize public keys for root
+  ansible.builtin.template:
+    dest: /etc/ssh/authorized_keys.d/root
+    src: ssh-root-authorized-keys
+    owner: root
+    group: root
+    mode: "0644"
diff --git a/roles/ssh/templates/ssh-root-authorized-keys b/roles/ssh/templates/ssh-root-authorized-keys
new file mode 100644
index 0000000000000000000000000000000000000000..15ffdad2eb3b78dcd56cc0dafc3c4a81b83f18a2
--- /dev/null
+++ b/roles/ssh/templates/ssh-root-authorized-keys
@@ -0,0 +1,8 @@
+# ANSIBLE managed
+{% for user in user_database.keys()|list %}
+{% for pubkey in user_database[user].pubkeys %}
+{% if user in users_root|default([]) or user in users_root_group|default([]) %}
+{{ pubkey }} {{ user }}
+{% endif %}
+{% endfor %}
+{% endfor %}
diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml
index f9fc4a740186ccaf8444d308c71555a6e2c7f217..9c24959b1e976a7d04d7fe64d57b033aa287c42e 100644
--- a/roles/users/tasks/main.yml
+++ b/roles/users/tasks/main.yml
@@ -4,11 +4,6 @@
     msg: No users are in users nor in users_group
   when: "users|default([]) == [] and users_group|default([]) == []"
 
-- name: Fail when no root public keys would be deployed
-  ansible.builtin.fail:
-    msg: No public keys would be deployed
-  when: "users_root|default([]) == [] and users_root_group|default([]) == []"
-
 - name: Creating users
   include_tasks: user.yml 
   loop: "{{ users|default([]) + users_group|default([]) }}" 
@@ -20,10 +15,3 @@
   loop: '{{ user_database | dict2items }}'
   loop_control:
     loop_var: user
-
-- name: Deploying public key for users with root access
-  include_tasks: root_pubkey.yml
-  vars:
-  loop: '{{ user_database.keys() | list }}'
-  loop_control:
-    loop_var: user
diff --git a/roles/users/tasks/root_pubkey.yml b/roles/users/tasks/root_pubkey.yml
deleted file mode 100644
index 07d75675036bae287737da0515db7f00a5d15b85..0000000000000000000000000000000000000000
--- a/roles/users/tasks/root_pubkey.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-- name: "Deploying {{ user }} public keys for root"
-  authorized_key:
-    user: "root"
-    state: '{{ (user in users_root|default([]) or user in users_root_group|default([]) ) | ternary("present", "absent") }}'
-    key: '{{ item }}'
-    comment: '{{ user }} {{ (item|split(" "))[2]|default("") }}'
-    follow: yes
-  loop: '{{ user_database[user].pubkeys }}'
-
-- name: "Remove revoked {{ user }} public keys for root"
-  authorized_key:
-    user: "root"
-    state: absent
-    key: '{{ item }}'
-    comment: '{{ user }}'
-    follow: yes
-  loop: '{{ user_database[user].revoked_pubkeys }}'
-  when: 'user_database[user].revoked_pubkeys is defined'
diff --git a/roles/users/tasks/user.yml b/roles/users/tasks/user.yml
index 67c5aa2e2041d7b4f5edb4d0792521ba8c132be6..1f54621cf0f98ac4fbfedb64bb60114821a88446 100644
--- a/roles/users/tasks/user.yml
+++ b/roles/users/tasks/user.yml
@@ -11,17 +11,10 @@
     group: "{{ user }}"
     shell: /bin/bash
 
-- name: "Add ssh keys for {{ user }}"
-  authorized_key:
-    user: "{{ user }}"
-    state: present
-    key: '{{ item }}'
-  loop: '{{ user_database[user].pubkeys }}'
-
-- name: "Remove revoked ssh keys for {{ user }}"
-  authorized_key:
-    user: "{{ user }}"
-    state: absent
-    key: '{{ item }}'
-  loop: '{{ user_database[user].revoked_pubkeys }}'
-  when: 'user_database[user].revoked_pubkeys is defined'
+- name: "Authorize public keys for user {{ user }}"
+  ansible.builtin.template:
+    dest: "/etc/ssh/authorized_keys.d/{{ user|quote }}"
+    src: ssh-user-authorized-keys
+    owner: root
+    group: root
+    mode: "0644"
diff --git a/roles/users/templates/ssh-user-authorized-keys b/roles/users/templates/ssh-user-authorized-keys
new file mode 100644
index 0000000000000000000000000000000000000000..4a95e8648a22eee7c5a58f5a078d99b2e2fbb9d5
--- /dev/null
+++ b/roles/users/templates/ssh-user-authorized-keys
@@ -0,0 +1,4 @@
+# ANSIBLE managed
+{% for pubkey in user_database[user].pubkeys %}
+{{ pubkey }} {{ user }}
+{% endfor %}