diff --git a/configure/atlas.yml b/configure/atlas.yml
index 0345988..092ac54 100644
--- a/configure/atlas.yml
+++ b/configure/atlas.yml
@@ -10,6 +10,10 @@
   - name: enable interfaces
     command:
       cmd: ifup -a
+  - name: restart sshd
+    systemd:
+      name: sshd
+      state: restarted
 
   tasks:
   - name: Update
@@ -88,5 +92,25 @@
       src: dmz.conf
       dest: /etc/network/interfaces.d/dmz.conf
     notify: enable interfaces
+  - name: Add backup user
+    user:
+      name: lewis
+      create_home: false
+      password: '!'
+      shell: /sbin/nologin
+      system: true
+  - name: Add backup user principals file
+    copy:
+      dest: "/etc/ssh/lewis_principals"
+      content: "backup"
+  - name: Install user CA
+    copy:
+      dest: "/etc/ssh/user_ca_key.pub"
+      content: "{{ user_ca }}"
+  - name: Copy ssh config for backup user
+    copy:
+      src: "sshd.conf"
+      dest: "/etc/ssh/sshd_config.d/custom.conf"
+    notify: restart sshd
   roles:
     - githubixx.ansible_role_wireguard
diff --git a/configure/inventory/host_vars/atlas.yml b/configure/inventory/host_vars/atlas.yml
index e381603..9cf745f 100644
--- a/configure/inventory/host_vars/atlas.yml
+++ b/configure/inventory/host_vars/atlas.yml
@@ -1,3 +1,4 @@
+user_ca: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ"
 storage_pools: [iso, disk, init]
 wireguard_addresses:
   - "10.42.0.1/32"
diff --git a/configure/sshd.conf b/configure/sshd.conf
new file mode 100644
index 0000000..61b55a2
--- /dev/null
+++ b/configure/sshd.conf
@@ -0,0 +1,6 @@
+TrustedUserCAKeys /etc/ssh/user_ca_key.pub
+
+Match User lewis
+	AuthorizedPrincipalsFile /etc/ssh/lewis_principals
+	ChrootDirectory /kvm/data
+	ForceCommand internal-sftp