diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb
index 104c4485bd..7c72024fd6 100644
--- a/modules/ssh/templates/sshd_config.erb
+++ b/modules/ssh/templates/sshd_config.erb
@@ -23,7 +23,7 @@ LogLevel INFO
 
 # Authentication:
 LoginGraceTime 120
-PermitRootLogin forced-commands-only
+PermitRootLogin no
 StrictModes yes
 
 RSAAuthentication yes
@@ -84,3 +84,10 @@ Subsystem sftp <%= scope.lookupvar('::ssh::params::sftp_path') %>
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
+
+# allow ansible connections from puppetmaster host
+Match host ci-puppetmaster.openstack.org
+    PermitRootLogin without-password
+
+Match host puppetmaster.openstack.org
+    PermitRootLogin without-password