diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index 218cbd5..3a5e5bd 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -53,6 +53,14 @@
     - name: Backup authorized_keys out of HOME dir (if unavailable at startup)
       command: "cp /home/{{ item }}/.ssh/authorized_keys {{ssh_authorized_keys_fallback_dir}}/{{ item }}"
       loop: "{{ ssh_users.split() }}"
+
+    - name: Fix ownership
+      file:
+        path: "{{ssh_authorized_keys_fallback_dir}}/{{ item }}"
+        owner: "{{ item }}"
+        group: "{{ item }}"
+        mode: "0600"
+      loop: "{{ ssh_users.split() }}"
   when: ssh_authorized_keys_fallback_enabled
 
 - name: Create an SSH banner
diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2
index eb1061d..b34257c 100644
--- a/roles/sshd/templates/sshd_config.j2
+++ b/roles/sshd/templates/sshd_config.j2
@@ -19,6 +19,11 @@ ChallengeResponseAuthentication no
 KerberosAuthentication no
 GSSAPIAuthentication no
 UsePAM yes
+{% if ssh_authorized_keys_fallback_enabled %}
+AuthorizedKeysFile .ssh/authorized_keys /etc/ssh/authorized_keys/%u
+{% else %}
+AuthorizedKeysFile .ssh/authorized_keys
+{% endif %}
 
 # Login timeout and grace period
 LoginGraceTime 30s
@@ -62,9 +67,3 @@ Compression no
 {% if ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' %}
 UsePrivilegeSeparation sandbox
 {% endif %}
-
-{% if ssh_authorized_keys_fallback_enabled %}
-AuthorizedKeysFile .ssh/authorized_keys /etc/ssh/authorized_keys/%u
-{% else %}
-AuthorizedKeysFile .ssh/authorized_keys
-{% endif %}