diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml
index 5b6967da..660fb766 100644
--- a/evolinux-users/tasks/ssh.yml
+++ b/evolinux-users/tasks/ssh.yml
@@ -66,7 +66,7 @@
     - evolinux_root_disable_ssh | bool
     - ansible_distribution_major_version is version('11', '<=')
 
-- name: verify PermitRootLogin directive
+- name: verify PermitRootLogin directive (Debian >= 12)
   ansible.builtin.command:
     cmd: "grep -Er '^PermitRootLogin' /etc/ssh"
   changed_when: False
@@ -81,12 +81,12 @@
     var: grep_permitrootlogin_ssh
     verbosity: 1
 
-- name: disable root login (Debian <= 12)
-  ansible.builtin.replace:
+- name: disable root login (Debian >= 12)
+  ansible.builtin.lineinfile:
     path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
     line: "PermitRootLogin no"
     create: yes
-    validate: '/usr/sbin/sshd -t -f /etc/ssh/sshd_config.d/z-evolinux-defaults.conf'
+    validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
   when:
     - evolinux_root_disable_ssh | bool