diff --git a/common/files/keys-removed/.empty b/common/files/keys-removed/.empty
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/common/tasks/sshd.yml b/common/tasks/sshd.yml
index ab8f25a6a26a8753d4e86e53e35c7f6e171ce59a..933e409e367b27af94cbd38926fda5dfc2aaab42 100644
--- a/common/tasks/sshd.yml
+++ b/common/tasks/sshd.yml
@@ -4,7 +4,7 @@
 - name: ensure sshd is installed
   apt:  name=openssh-server state=latest
   tags:
-    - sshd
+    - ssh
     - packages 
 
 - name: ensure sshd configured
@@ -12,7 +12,7 @@
   notify:
     - restart sshd
   tags:
-    - sshd
+    - ssh
     - config
 
 - name: ensure home dir creation on first login
@@ -20,13 +20,13 @@
   notify:
     - restart sshd
   tags:
-    - sshd
+    - ssh
     - config
 
 - name: ensure sshd is running and enabled
   service: name=ssh state=running enabled=yes
   tags:
-    - sshd
+    - ssh
     - service
 
 - name: ensure every ssh-key is installed
@@ -34,5 +34,13 @@
   with_fileglob:
     - keys/*.pub
   tags:
-    - sshd
+    - ssh
+    - root
+
+- name: ensure old ssh-keys are removed
+  authorized_key: user=root key="{{ lookup('file', item) }}" state=absent
+  with_fileglob:
+    - keys-removed/*.pub
+  tags:
+    - ssh
     - root