diff --git a/defaults/main.yml b/defaults/main.yml
index 8045d63bd5ad4c039115b443e582959bc3ef89c6..6a4a0525f8b5f88f4889d5e046a0ee6c1ff28b94 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -14,6 +14,7 @@ pss_nas_software_files:
   - test.zip
 
 pss_nas_softs_owner: root
+pss_bastion_host: pss_bastion_01.tn.esss.lu.se
 
 pss_soft_artifactory_password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
diff --git a/handlers/main.yml b/handlers/main.yml
index 78356b7bff46aca15db08b083d970998a9754fd0..22af5ba86fa98e6122e2464353d241bb0c32d96e 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -13,3 +13,8 @@
   with_items:
     - { key: 'AutomaticAction', value: 'delete' }
     - { key: 'ScanArchives', value: 'enabled' }
+
+- name: restart_ssh
+  service:
+    name: sshd
+    state: restarted
diff --git a/tasks/custom_pss.yml b/tasks/custom_pss.yml
index 64dda098daf421fd36b76a0b8c3eab8b561ff013..c23086a111dfbcf16fc86452e78fa5ba38d3326e 100644
--- a/tasks/custom_pss.yml
+++ b/tasks/custom_pss.yml
@@ -23,3 +23,11 @@
     owner: root
     group: root
     mode: 0644
+- name: manage ssh allowed users for PSS NAS
+  template:
+    src: sshd_config.j2
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart_ssh
diff --git a/tasks/main.yml b/tasks/main.yml
index b1bc8ade0c0b111865143ada744179eef5f680b8..0fe2603a391b70e8be0212bd01e093cc0fc003f0 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -13,6 +13,7 @@
     - tcpdump
     - samba-winbind
     - samba-winbind-clients
+    - openssh-server
 
 - name: setup smb.conf
   template:
diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
new file mode 100644
index 0000000000000000000000000000000000000000..cc3098628c1e0078527d7a8168e29ec0113ad886
--- /dev/null
+++ b/templates/sshd_config.j2
@@ -0,0 +1,19 @@
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+SyslogFacility AUTHPRIV
+AuthorizedKeysFile  .ssh/authorized_keys
+PasswordAuthentication yes
+ChallengeResponseAuthentication no
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
+UsePAM yes
+X11Forwarding yes
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+Subsystem sftp  /usr/libexec/openssh/sftp-server
+Match User csi
+    PasswordAuthentication no
+AllowUsers  csi@172.16.50.11 csi@pss-bastion-01.tn.esss.lu.se