diff --git a/playbooks/mail.archlinux.org.yml b/playbooks/mail.archlinux.org.yml
index 3055d80995567d270665116285791284566454cc..ee4dbc35f8096fe694eeb0b39bd071e74ece3bad 100644
--- a/playbooks/mail.archlinux.org.yml
+++ b/playbooks/mail.archlinux.org.yml
@@ -15,7 +15,7 @@
     - { role: rspamd, rspamd_dkim_domain: archlinux.org, tags: ["mail"] }
     - { role: unbound, unbound_port: 5353, tags: ["mail"] }
     - { role: postfwd, tags: ['mail'] }
-    - { role: archusers }
+    - { role: archusers, archusers_ssh_options: 'command="/usr/bin/passwd",restrict,pty' }
     - { role: fail2ban }
     - { role: prometheus_exporters }
     - { role: promtail }
diff --git a/roles/archusers/templates/authorized_keys.j2 b/roles/archusers/templates/authorized_keys.j2
index 899175614684829efde59cf0eff0e581362de94b..4908baf419e42014b113a0d637528e49e957f651 100644
--- a/roles/archusers/templates/authorized_keys.j2
+++ b/roles/archusers/templates/authorized_keys.j2
@@ -1,9 +1,16 @@
 #jinja2: lstrip_blocks: True
-{{ lookup('file', '../pubkeys/' + item.value.ssh_key) }}
+{% set keys = [item.value.ssh_key] %}
 {% if item.value.additional_ssh_keys is defined %}
 	{% for key in item.value.additional_ssh_keys %}
 		{% if inventory_hostname in key.hosts or 'all' in key.hosts %}
-{{ lookup('file', '../pubkeys/' + key.name) }}
+			{{- keys.append(key.name) -}}
 		{% endif %}
 	{% endfor %}
 {% endif %}
+{% for key in keys %}
+	{% if archusers_ssh_options is defined %}
+{{ lookup('file', '../pubkeys/' + key) | regex_replace('(.*\S.*)', archusers_ssh_options + ' \\1') }}
+	{% else %}
+{{ lookup('file', '../pubkeys/' + key) }}
+	{% endif %}
+{% endfor %}