diff --git a/etc/ssh/ssh-ca.pub b/etc/ssh/ssh-ca.pub
new file mode 100644
index 0000000..8bb372c
--- /dev/null
+++ b/etc/ssh/ssh-ca.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+nJART0HRPz+9ykN6cTQp/ixUoPhbyH01D7SGBXW9Z causer@ca01
diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config
new file mode 100644
index 0000000..a5580d8
--- /dev/null
+++ b/etc/ssh/sshd_config
@@ -0,0 +1,27 @@
+Port 22
+Protocol 2
+
+ClientAliveInterval 5
+ClientAliveCountMax 2
+Compression no
+TCPKeepAlive no
+X11Forwarding no
+IgnoreRhosts yes
+
+LoginGraceTime 1m
+PermitRootLogin prohibit-password
+MaxAuthTries 3
+MaxSessions 5
+
+PubkeyAuthentication yes
+AuthorizedKeysFile .ssh/authorized_keys
+
+TrustedUserCAKeys /etc/ssh/ssh-ca.pub
+
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+
+UsePAM yes
+
+PrintMotd no # pam does that
+Subsystem sftp internal-sftp -l INFO