diff --git a/roles/1-prep/tasks/main.yml b/roles/1-prep/tasks/main.yml
index 1845416dc..b0f2df3fe 100644
--- a/roles/1-prep/tasks/main.yml
+++ b/roles/1-prep/tasks/main.yml
@@ -37,6 +37,12 @@
   set_fact:
     uuid: "{{ stored_uuid.stdout_lines[0] }}"
 
+- name: SSHD
+  include_role:
+    name: sshd
+  # has no "when: XXXXX_install" flag
+  tags: base, sshd
+
 - name: OPENVPN
   include_role:
     name: openvpn
diff --git a/roles/4-server-options/tasks/main.yml b/roles/4-server-options/tasks/main.yml
index 8989677a6..3dc010450 100644
--- a/roles/4-server-options/tasks/main.yml
+++ b/roles/4-server-options/tasks/main.yml
@@ -3,13 +3,6 @@
 - name: ...IS BEGINNING ==================================
   command: echo
 
-# MANDATORY SO PERHAPS THIS BELONGS IN 3-BASE-SERVER ?
-- name: SSHD
-  include_role:
-    name: sshd
-  # has no "when: XXXXX_install" flag
-  tags: base, sshd
-
 - name: Installing dnsmasq
   include_tasks: roles/network/tasks/dnsmasq.yml
   when: dnsmasq_install
diff --git a/roles/iiab-admin/files/dummy_authorized_keys b/roles/sshd/files/dummy_authorized_keys
similarity index 100%
rename from roles/iiab-admin/files/dummy_authorized_keys
rename to roles/sshd/files/dummy_authorized_keys
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index 560774ff3..567fd72dd 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -1,18 +1,40 @@
 - name: Disable root login with password
-  lineinfile: dest=/etc/ssh/sshd_config
-              regexp='^PermitRootLogin'
-              line='PermitRootLogin without-password'
-              state=present
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^PermitRootLogin'
+    line: 'PermitRootLogin without-password'
+    state: present
 #TODO: use handler to reload ssh
 
-- name: Enable sshd
-  service: name={{ sshd_service }}
-           enabled=yes
-           state=started
+- name: Create root .ssh
+  file:
+    path: /root/.ssh
+    owner: root
+    group: root
+    mode: 0700
+    state: directory
+  when: sshd_enabled
+
+- name: Install dummy root keys as placeholder
+  copy:
+    src: dummy_authorized_keys
+    dest: /root/.ssh/authorized_keys
+    owner: root
+    group: root
+    mode: 0600
+    force: no
+  when: sshd_enabled
+
+- name: Enable & start sshd
+  service:
+    name: "{{ sshd_service }}"
+    enabled: yes
+    state: started
   when: sshd_enabled
 
 - name: Disable sshd
-  service: name={{ sshd_service }}
-           enabled=no
-           state=stopped
+  service:
+    name: "{{ sshd_service }}"
+    enabled: no
+    state: stopped
   when: not sshd_enabled