diff --git a/roles/debian_server/handlers/main.yml b/roles/debian_server/handlers/main.yml
index a643629675a261b953caa71baace287364721587..b7683341f8234196485cfb892a7d484bab1f80fc 100644
--- a/roles/debian_server/handlers/main.yml
+++ b/roles/debian_server/handlers/main.yml
@@ -10,3 +10,8 @@
 - name: Update GRUB
   command:
     cmd: update-grub
+
+- name: Restart the SSH daemon
+  service:
+    name: ssh
+    state: restarted
diff --git a/roles/debian_server/tasks/main.yml b/roles/debian_server/tasks/main.yml
index ece8e1bbb45cdd77b6386640554f3612792ea6c0..0a4df56d1b7d696e2b19021f4ad85dad424ef2bc 100644
--- a/roles/debian_server/tasks/main.yml
+++ b/roles/debian_server/tasks/main.yml
@@ -106,19 +106,11 @@
     state: present
     value: "640000"
 
-- name: Secure SSH
-  with_dict:
-    PermitRootLogin: !!str no
-    PasswordAuthentication: !!str no
-  lineinfile:
-    backup: true
-    line: |-
-      {{ item.key }} {{ item.value }}
-    path: /etc/ssh/sshd_config
-    regexp: |-
-      {{ item.key }}
-    state: present
-    validate: sshd -Tf %s
+- name: Configure the SSH daemon
+  include_tasks:
+    file: '{{ playbook_dir }}/tasks/sshd_config.yaml'
+  tags:
+    - always
 
 - name: Make /tmp a tmpfs mount
   ansible.posix.mount:
diff --git a/roles/router/tasks/main.yaml b/roles/router/tasks/main.yaml
index da3f517ed3c2bc94a7df63518b0480892d708917..52c5e20aa8d1b06bc2f1580774ba7d97f1616fb6 100644
--- a/roles/router/tasks/main.yaml
+++ b/roles/router/tasks/main.yaml
@@ -479,21 +479,10 @@
     - syspatch
 
 - name: Configure the SSH daemon
-  with_dict:
-    PermitRootLogin: 'no'
-    PasswordAuthentication: 'no'
-    KexAlgorithms: '-diffie-hellman-group14-sha1'
-    # yamllint disable-line rule:line-length
-    MACs: '-hmac-sha1,umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com'
-  lineinfile:
-    line: '{{ item.key }} {{ item.value }}'
-    path: /etc/ssh/sshd_config
-    regexp: '{{ item.key }}'
-    validate: sshd -Tf %s
-  notify:
-    - Restart the SSH daemon
+  include_tasks:
+    file: '{{ playbook_dir }}/tasks/sshd_config.yaml'
   tags:
-    - ssh
+    - always
 
 # yamllint disable-line rule:line-length
 - name: Configure the daily Cron job (skip email if there's nothing to report, report on pending system patches).
diff --git a/tasks/sshd_config.yaml b/tasks/sshd_config.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c0435d0676a89ba3f93f992097aed41fc48ffe3c
--- /dev/null
+++ b/tasks/sshd_config.yaml
@@ -0,0 +1,31 @@
+---
+- name: Configure the SSH daemon
+  with_dict:
+    CASignatureAlgorithms: >-
+      -ssh-rsa
+    HostbasedAcceptedKeyTypes: >-
+      -ssh-rsa
+    HostKeyAlgorithms: >-
+      -ssh-rsa
+    KexAlgorithms: >-
+      -diffie-hellman-group14-sha1
+    MACs: >-
+      -hmac-sha1,
+      umac-64-etm@openssh.com,
+      hmac-sha1-etm@openssh.com,
+      umac-64@openssh.com
+    PermitRootLogin: !!str no
+    PasswordAuthentication: !!str no
+    PubkeyAcceptedKeyTypes: >-
+      -ssh-rsa,
+      ssh-rsa-cert-v01@openssh.com
+  lineinfile:
+    backup: true
+    line: '{{ item.key }} {{ item.value|replace(" ", "") }}'
+    path: /etc/ssh/sshd_config
+    regexp: '{{ item.key }}'
+    validate: sshd -Tf %s
+  notify:
+    - Restart the SSH daemon
+  tags:
+    - ssh