diff --git a/roles/pam_sshd/tasks/main.yml b/roles/pam_sshd/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c445a9267c2fafc48cbdfa4bec31a1c455e7575d
--- /dev/null
+++ b/roles/pam_sshd/tasks/main.yml
@@ -0,0 +1,5 @@
+- name: "Copy password sshd pam config"
+  template: src=sshd.j2 dest=/etc/pam.d/sshd
+  become: true
+  become_user: root
+
diff --git a/roles/pam_sshd/templates/sshd.j2 b/roles/pam_sshd/templates/sshd.j2
new file mode 100644
index 0000000000000000000000000000000000000000..0b73a8cf8b40633aab0a55f2be817562d6eb0391
--- /dev/null
+++ b/roles/pam_sshd/templates/sshd.j2
@@ -0,0 +1,21 @@
+#%PAM-1.0
+auth	   required	pam_sepermit.so
+auth       substack     password-auth
+auth       include      postlogin
+# Used with polkit to reauthorize users in remote sessions
+-auth      optional     pam_reauthorize.so prepare
+account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup systems
+account    required     pam_nologin.so
+account    include      password-auth
+password   include      password-auth
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open env_params
+session    required     pam_namespace.so
+session    optional     pam_keyinit.so force revoke
+session    include      password-auth
+session    include      postlogin
+# Used with polkit to reauthorize users in remote sessions
+-session   optional     pam_reauthorize.so prepare