diff --git a/ssh-server/handlers/main.yml b/ssh-server/handlers/main.yml
index 9fc709ca625d7c5dc58c79f0fafed5cffd3be77f..d796ac6c0fe039b43ca7f04771a71b02cdc26d0a 100644
--- a/ssh-server/handlers/main.yml
+++ b/ssh-server/handlers/main.yml
@@ -4,8 +4,3 @@
   service:
     name: ssh
     state: restarted
-
-- name: regenerate pam config
-  command: pam-auth-update --force
-  environment:
-    DEBIAN_FRONTEND: noninteractive
diff --git a/ssh-server/tasks/main.yml b/ssh-server/tasks/main.yml
index 5ea696cc41a2f6b640e4eb75f198ce34c5e91f07..1cb722f8ad11655494c26dda986b58c49f4eba08 100644
--- a/ssh-server/tasks/main.yml
+++ b/ssh-server/tasks/main.yml
@@ -46,16 +46,20 @@
   tags:
     - ssh
 
-- name: ensure pam creates a home dir if necessary
-  copy:
-    src: pam/mkhomedir
-    dest: /usr/share/pam-configs/mkhomedir
-    owner: root
-    group: root
-    mode: '0644'
+- name: ensure pam creates a home directory
+  command: pam-auth-update --enable mkhomedir --force
+  environment:
+    DEBIAN_FRONTEND: noninteractive
   when: ssh_mkhomedir
-  notify:
-    - regenerate pam config
+  tags:
+    - ssh
+    - pam
+
+- name: ensure pam doesn't create a home directory
+  command: pam-auth-update --remove mkhomedir --force
+  environment:
+    DEBIAN_FRONTEND: noninteractive
+  when: not ssh_mkhomedir
   tags:
     - ssh
     - pam