diff --git a/roles/ssh-user-ca/tasks/main.yml b/roles/ssh-user-ca/tasks/main.yml
index e1aae42..b73bee6 100644
--- a/roles/ssh-user-ca/tasks/main.yml
+++ b/roles/ssh-user-ca/tasks/main.yml
@@ -22,3 +22,39 @@
     mode: u=rw,go=r
   tags:
   - ssh-user-ca
+
+- name: ensure sshd AuthorizedKeysCommand is not set
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: '#AuthorizedKeysCommand none'
+    regexp: '(?i)#?\s*AuthorizedKeysCommand\b'
+    state: present
+  notify:
+  - reload sshd
+  tags:
+  - ssh-authorized-keys-command
+  - sshd-config
+  - config
+  - cleanup
+
+- name: ensure sshd AuthorizedKeysCommandUser is not set
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: '#AuthorizedKeysCommandUser nobody'
+    regexp: '(?i)#?\s*AuthorizedKeysCommandUser\b'
+    state: present
+  notify:
+  - reload sshd
+  tags:
+  - ssh-authorized-keys-command
+  - sshd-config
+  - config
+  - cleanup
+
+- name: ensure ssh-authorized-keys script is removed
+  file:
+    path: /usr/local/libexec/ssh-authorized-keys
+    state: absent
+  tags:
+  - ssh-authorized-keys-command
+  - cleanup