diff --git a/CHANGELOG.md b/CHANGELOG.md
index adf6be36..0b44a889 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,9 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * userlogrotate: add a userlogpurge script disabled by default
 * evolinux-base: configure bashrc for all users
 * bind: Add reload-zone helper
+* evolinux-base: add splitted SSH configuration for Debian >= 12
+* evolinux-users: add splitted SSH configuration for Debian >= 12
+* evocheck: add support for Debian >= 12 splitted SSH configuration
 
 ### Changed
 
diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh
index 5b73eebf..d97020e7 100755
--- a/evocheck/files/evocheck.sh
+++ b/evocheck/files/evocheck.sh
@@ -231,8 +231,15 @@ check_customcrontab() {
     test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
 }
 check_sshallowusers() {
-    grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
-        || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
+    if is_debian_bookworm; then
+        grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config.d \
+            || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config.d/*"
+        grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \
+            || failed "IS_SSHALLOWUSERS" "AllowUsers or AllowGroups directive present in sshd_config"
+    else
+        grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
+            || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
+    fi
 }
 check_diskperf() {
     perfFile="/root/disk-perf.txt"
diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml
index 98cd3b3d..0baad708 100644
--- a/evolinux-base/tasks/root.yml
+++ b/evolinux-base/tasks/root.yml
@@ -97,7 +97,21 @@
     replace: "PermitRootLogin no"
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
-  when: evolinux_root_disable_ssh | bool
+  when:
+    - evolinux_root_disable_ssh | bool
+    - ansible_distribution_major_version is version('11', '<=')
+
+- name: disable SSH access for root (Debian >= 12)
+  ansible.builtin.replace:
+    path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
+    line: "PermitRootLogin no"
+    create: yes
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: reload sshd
+  when:
+    - evolinux_root_disable_ssh | bool
+    - ansible_distribution_major_version is version('12', '>=')
+
 
 ### Disabled : it seems useless and too dangerous for now
 # - name: remove root from AllowUsers directive
diff --git a/evolinux-base/tasks/ssh.included-files.yml b/evolinux-base/tasks/ssh.included-files.yml
index 952b661f..dfae0b2b 100644
--- a/evolinux-base/tasks/ssh.included-files.yml
+++ b/evolinux-base/tasks/ssh.included-files.yml
@@ -1,71 +1,14 @@
 ---
-# This is a copy of ssh.single-file.yml
-# It needs to be changed when we move to a included-files configuration
-
-
 - ansible.builtin.debug:
-    msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!"
+    msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, some configuration elements won't be set!"
   when: evolinux_ssh_password_auth_addresses == []
 
-# From 'man sshd_config' :
-# « If all of the criteria on the Match line are satisfied, the keywords
-# on the following lines override those set in the global section of the config
-# file, until either another Match line or the end of the file.
-# If a keyword appears in multiple Match blocks that are satisfied,
-# only the first instance of the keyword is applied. »
-#
-# We want to allow any user from a list of IP addresses to login with password,
-# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses
+- name: add SSH server configuration template
+  ansible.builtin.template:
+    src: sshd/defaults.j2
+    dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
 
-- name: "Security directives for Evolinux (Debian 10 or later)"
-  ansible.builtin.blockinfile:
-    dest: /etc/ssh/sshd_config
-    marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
-    block: |
-      Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
-          PasswordAuthentication yes
-      Match Group {{ evolinux_internal_group }}
-          PasswordAuthentication no
-    insertafter: EOF
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: reload sshd
-  when:
-    - evolinux_ssh_password_auth_addresses != []
-    - ansible_distribution_major_version is version('10', '>=')
-
-- name: Security directives for Evolinux (Jessie/Stretch)
-  ansible.builtin.blockinfile:
-    dest: /etc/ssh/sshd_config
-    marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
-    block: |
-      Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
-          PasswordAuthentication yes
-    insertafter: EOF
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: reload sshd
-  when:
-    - evolinux_ssh_password_auth_addresses != []
-    - ansible_distribution_major_version is version('10', '<')
-
-# We disable AcceptEnv because it can be a security issue, but also because we
-# do not want clients to push their environment variables like LANG.
-- name: disable AcceptEnv in ssh config
-  ansible.builtin.replace:
-    dest: /etc/ssh/sshd_config
-    regexp: '^AcceptEnv'
-    replace: "#AcceptEnv"
-  notify: reload sshd
-  when: evolinux_ssh_disable_acceptenv | bool
-
-- name: Set log level to verbose (for Debian >= 9)
-  ansible.builtin.replace:
-    dest: /etc/ssh/sshd_config
-    regexp: '^#?LogLevel [A-Z]+'
-    replace: "LogLevel VERBOSE"
-  notify: reload sshd
-  when: ansible_distribution_major_version is version('9', '>=')
-
-- name: "Get current user"
+- name: "Get current user's group"
   ansible.builtin.command:
     cmd: logname
   changed_when: False
@@ -73,10 +16,9 @@
   check_mode: no
   when: evolinux_ssh_allow_current_user | bool
 
-# we must double-escape caracters, because python
 - name: verify AllowUsers directive
   ansible.builtin.command:
-    cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
+    cmd: "grep -ER '^AllowUsers' /etc/ssh"
   failed_when: False
   changed_when: False
   register: grep_allowusers_ssh
@@ -85,20 +27,15 @@
 
 - name: "Add AllowUsers sshd directive for current user"
   ansible.builtin.lineinfile:
-    dest: /etc/ssh/sshd_config
-    line: "\nAllowUsers {{ logname.stdout }}"
+    dest: /etc/ssh/sshd_config.d/allow_evolinux_user
+    line: "AllowUsers {{ logname.stdout }}"
     insertafter: 'Subsystem'
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
   when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
 
-- name: "Modify AllowUsers sshd directive for current user"
-  ansible.builtin.replace:
-    dest: /etc/ssh/sshd_config
-    regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$'
-    replace: '\1 {{ logname.stdout }}'
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: reload sshd
-  when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0
-
 - ansible.builtin.meta: flush_handlers
+
+# TODO vérifier présence de Include /etc/ssh/sshd_config.d/*.conf
+# TODO si allowusers et allowgroups, ajouter utilisateur aux deux
+# TODO si allowgroups, ajouter groupe de l’utilisateur
diff --git a/evolinux-base/templates/sshd/defaults.j2 b/evolinux-base/templates/sshd/defaults.j2
new file mode 100644
index 00000000..373141a6
--- /dev/null
+++ b/evolinux-base/templates/sshd/defaults.j2
@@ -0,0 +1,15 @@
+Port 22
+{% if evolinux_root_disable_ssh %}
+PermitRootLogin no
+{% endif %}
+LogLevel VERBOSE
+SetEnv LC_ALL=en_US.UTF-8
+
+{% if evolinux_ssh_password_auth_addresses %}
+Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
+    PasswordAuthentication yes
+{% endif %}
+{% if evolinux_internal_group %}
+Match Group {{ evolinux_internal_group }}
+    PasswordAuthentication no
+{% endif %}
diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml
index 9110911f..ae1db373 100644
--- a/evolinux-users/tasks/ssh.yml
+++ b/evolinux-users/tasks/ssh.yml
@@ -2,7 +2,7 @@
 
 - name: verify AllowGroups directive
   ansible.builtin.command:
-    cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
+    cmd: "grep -Er '^AllowGroups' /etc/ssh"
   changed_when: False
   failed_when: False
   check_mode: no
@@ -14,7 +14,7 @@
 
 - name: verify AllowUsers directive
   ansible.builtin.command:
-    cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
+    cmd: "grep -Er '^AllowUsers' /etc/ssh"
   changed_when: False
   failed_when: False
   check_mode: no
@@ -62,6 +62,36 @@
     regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
     replace: "PermitRootLogin no"
   notify: reload sshd
-  when: evolinux_root_disable_ssh | bool
+  when:
+    - evolinux_root_disable_ssh | bool
+    - ansible_distribution_major_version is version('11', '<=')
+
+- name: verify PermitRootLogin directive (Debian >= 12)
+  ansible.builtin.command:
+    cmd: "grep -Er '^PermitRootLogin' /etc/ssh"
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  register: grep_permitrootlogin_ssh
+  when:
+    - ansible_distribution_major_version is version('12', '>=')
+
+# TODO avertir lorsque PermitRootLogin est déjà configuré?
+- ansible.builtin.debug:
+    var: grep_permitrootlogin_ssh
+    verbosity: 1
+
+- name: disable root login (Debian >= 12)
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
+    line: "PermitRootLogin no"
+    create: yes
+    validate: '/usr/sbin/sshd -t -f %s'
+    insertbefore: "BOF"
+  notify: reload sshd
+  when:
+    - evolinux_root_disable_ssh | bool
+    - ansible_distribution_major_version is version('12', '>=')
+    - grep_permitrootlogin_ssh.rc == 1
 
 - ansible.builtin.meta: flush_handlers
diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml
index 2dac1f80..fd74a7c0 100644
--- a/evolinux-users/tasks/ssh_allowgroups.yml
+++ b/evolinux-users/tasks/ssh_allowgroups.yml
@@ -4,11 +4,13 @@
 # even if it's been done before
 - name: verify AllowGroups directive
   ansible.builtin.command:
-    cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
+    cmd: "grep -Er '^AllowGroups' /etc/ssh"
   changed_when: False
   failed_when: False
   check_mode: no
   register: grep_allowgroups_ssh
+  when:
+    - ansible_distribution_major_version is version('11', '<=')
 
 - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
   ansible.builtin.lineinfile:
@@ -17,7 +19,9 @@
     insertafter: 'Subsystem'
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
-  when: grep_allowgroups_ssh.rc != 0
+  when:
+    - ansible_distribution_major_version is version('11', '<=')
+    - grep_allowgroups_ssh.rc != 0
 
 - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
   ansible.builtin.replace:
@@ -26,4 +30,15 @@
     replace: '\1 {{ evolinux_ssh_group }}'
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
-  when: grep_allowgroups_ssh.rc == 0
+  when:
+    - ansible_distribution_major_version is version('11', '<=')
+    - grep_allowgroups_ssh.rc == 0
+
+- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
+    line: "AllowGroups {{ evolinux_ssh_group }}"
+    create: yes
+    validate: '/usr/sbin/sshd -t -f %s'
+  when:
+    - ansible_distribution_major_version is version('12', '>=')