diff --git a/roles/accounts/defaults/main.yml b/roles/accounts/defaults/main.yml
new file mode 100644
index 0000000..c3306fa
--- /dev/null
+++ b/roles/accounts/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+evobsd_root_login: "no"
diff --git a/roles/accounts/tasks/main.yml b/roles/accounts/tasks/main.yml
index 9d29a34..de2b030 100644
--- a/roles/accounts/tasks/main.yml
+++ b/roles/accounts/tasks/main.yml
@@ -107,8 +107,8 @@
 - name: "Disable root login"
   replace:
     dest: /etc/ssh/sshd_config
-    regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
-    replace: "PermitRootLogin no"
+    regexp: '^PermitRootLogin\s+(yes|without-password|prohibit-password)'
+    replace: "PermitRootLogin {{ evobsd_root_login }}"
   notify: reload sshd
   tags:
     - accounts