diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml
index 7998b714..5b6967da 100644
--- a/evolinux-users/tasks/ssh.yml
+++ b/evolinux-users/tasks/ssh.yml
@@ -66,15 +66,31 @@
     - evolinux_root_disable_ssh | bool
     - ansible_distribution_major_version is version('11', '<=')
 
+- name: verify PermitRootLogin directive
+  ansible.builtin.command:
+    cmd: "grep -Er '^PermitRootLogin' /etc/ssh"
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  register: grep_permitrootlogin_ssh
+  when:
+    - ansible_distribution_major_version is version('12', '>=')
+
+# TODO avertir lorsque PermitRootLogin est déjà configuré?
+- ansible.builtin.debug:
+    var: grep_permitrootlogin_ssh
+    verbosity: 1
+
 - name: disable root login (Debian <= 12)
   ansible.builtin.replace:
     path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
     line: "PermitRootLogin no"
     create: yes
-    validate: '/usr/sbin/sshd -t -f %s'
+    validate: '/usr/sbin/sshd -t -f /etc/ssh/sshd_config.d/z-evolinux-defaults.conf'
   notify: reload sshd
   when:
     - evolinux_root_disable_ssh | bool
     - ansible_distribution_major_version is version('12', '>=')
+    - grep_permitrootlogin_ssh.rc != 1
 
 - ansible.builtin.meta: flush_handlers
diff --git a/evolinux-users/tasks/ssh_allowgroups.yml b/evolinux-users/tasks/ssh_allowgroups.yml
index 2dac1f80..6972b82b 100644
--- a/evolinux-users/tasks/ssh_allowgroups.yml
+++ b/evolinux-users/tasks/ssh_allowgroups.yml
@@ -4,11 +4,13 @@
 # even if it's been done before
 - name: verify AllowGroups directive
   ansible.builtin.command:
-    cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
+    cmd: "grep -E '^AllowGroups' /etc/ssh"
   changed_when: False
   failed_when: False
   check_mode: no
   register: grep_allowgroups_ssh
+  when:
+    - ansible_distribution_major_version is version('11', '<=')
 
 - name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
   ansible.builtin.lineinfile:
@@ -17,7 +19,9 @@
     insertafter: 'Subsystem'
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
-  when: grep_allowgroups_ssh.rc != 0
+  when:
+    - grep_allowgroups_ssh.rc != 0
+    - ansible_distribution_major_version is version('11', '<=')
 
 - name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
   ansible.builtin.replace:
@@ -26,4 +30,15 @@
     replace: '\1 {{ evolinux_ssh_group }}'
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
-  when: grep_allowgroups_ssh.rc == 0
+  when:
+    - grep_allowgroups_ssh.rc == 0
+    - ansible_distribution_major_version is version('11', '<=')
+
+- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config.d/z-evolinux-users
+    line: "AllowGroups {{ evolinux_ssh_group }}"
+    create: yes
+    validate: '/usr/sbin/sshd -t -f /etc/ssh/sshd_config.d/z-evolinux-users'
+  when:
+    - ansible_distribution_major_version is version('12', '>=')