diff --git a/configure/atlas.yml b/configure/atlas.yml
index 1e00624..1c4a349 100644
--- a/configure/atlas.yml
+++ b/configure/atlas.yml
@@ -92,13 +92,27 @@
       src: dmz.conf
       dest: /etc/network/interfaces.d/dmz.conf
     notify: enable interfaces
-  - name: Add backup user
+  - name: Add backup share user
     user:
       name: "{{ backup_share_user }}"
       create_home: false
       password: '!'
       shell: /sbin/nologin
       system: true
+  - name: Add backup control user
+    user:
+      name: "{{ backup_control_user }}"
+      password: '!'
+      shell: /usr/bin/sh
+      system: true
+      groups: "libvirt"
+  - name: Copy control script
+    copy:
+      src: "backup_control.sh"
+      dest: "/home/{{ backup_control_user }}/control.sh"
+      owner: "{{ backup_control_user }}"
+      group: "{{ backup_control_user }}"
+      mode: u=rx,g=rx,o=rx
   - name: Add backup user principals file
     copy:
       dest: "/etc/ssh/backup_principals"
diff --git a/configure/backup_control.sh b/configure/backup_control.sh
new file mode 100644
index 0000000..7563250
--- /dev/null
+++ b/configure/backup_control.sh
@@ -0,0 +1,15 @@
+VIRSH="virsh --connect qemu:///system"
+read -p "" option
+case "$option" in
+	up)
+		for i in $($VIRSH list --all --name --autostart); do $VIRSH start "$i"; done
+		;;
+	down)
+		for i in $($VIRSH list --state-running --name --autostart); do
+			$VIRSH shutdown "$i"
+			until $VIRSH domstate "$i" | grep shut; do
+				sleep 0.5
+			done
+		done
+		;;
+esac
diff --git a/configure/sshd.conf.j2 b/configure/sshd.conf.j2
index bc8b28b..a8ea7ea 100644
--- a/configure/sshd.conf.j2
+++ b/configure/sshd.conf.j2
@@ -6,3 +6,9 @@ Match User {{ backup_share_user }}
 	ForceCommand internal-sftp
 	AllowTcpForwarding no
 	X11Forwarding no
+
+Match User {{ backup_control_user }}
+	AuthorizedPrincipalsFile /etc/ssh/backup_principals
+	ForceCommand /home/{{ backup_control_user }}/control.sh
+	AllowTcpForwarding no
+	X11Forwarding no