diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml
index 4c66324a..71cb9f3d 100644
--- a/evolinux-base/tasks/root.yml
+++ b/evolinux-base/tasks/root.yml
@@ -88,4 +88,13 @@
   notify: reload sshd
   when: evolinux_root_disable_ssh
 
+- name: remove root from AllowUsers directive
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
+    replace: '\1\4'
+    validate: '/usr/sbin/sshd -T -f %s'
+  notify: reload sshd
+  when: evolinux_root_disable_ssh
+
 - meta: flush_handlers