diff --git a/ssh-server/tasks/main.yml b/ssh-server/tasks/main.yml
index 60232a1d8b9f7c7b161cec7ed30b708795c43468..5ea696cc41a2f6b640e4eb75f198ce34c5e91f07 100644
--- a/ssh-server/tasks/main.yml
+++ b/ssh-server/tasks/main.yml
@@ -79,12 +79,30 @@
     - ssh
     - root
 
+- name: Check for Proxmox SSH keys
+  stat:
+    path: /etc/pve/priv/authorized_keys
+  register: pve_ssh_present
+  tags:
+    - ssh
+    - root
+
 # filename syntax: name.pub or name+dest_host_1,...,dest_host_n.pub
 - name: ensure our and only our keys are authorized for root
   assemble:
-    dest: /root/.ssh/authorized_keys
+    dest: >-
+      {% if pve_ssh_present.stat.exists -%}
+      /etc/pve/priv/authorized_keys
+      {%- else -%}
+      /root/.ssh/authorized_keys
+      {%- endif %}
     owner: root
-    group: root
+    group: >-
+      {% if pve_ssh_present.stat.exists -%}
+      www-data
+      {%- else -%}
+      root
+      {%- endif %}
     mode: '0600'
     remote_src: false
     src: "{{ ssh_authorized_keys }}"
@@ -95,6 +113,16 @@
     - ssh
     - root
 
+- name: Ensure Proxmox distributes the SSH keys
+  file:
+    path: /root/.ssh/authorized_keys
+    src: /etc/pve/priv/authorized_keys
+    state: link
+  when: pve_ssh_present.stat.exists
+  tags:
+    - ssh
+    - root
+
 - name: ensure we fail2ban bad people
   apt:
     name: fail2ban