diff --git a/ops/nixos/lib/common.nix b/ops/nixos/lib/common.nix
index 080092e91e..9979a36b40 100644
--- a/ops/nixos/lib/common.nix
+++ b/ops/nixos/lib/common.nix
@@ -151,6 +151,11 @@ in
 
     environment.homeBinInPath = true;
     security.pam.enableSSHAgentAuth = true;
+    security.pam.ussh = {
+      enable = true;
+      control = "sufficient";
+      caFile = ../../secrets/client-ca.pub;
+    };
 
     users.mutableUsers = false;
     users.users = let secrets = depot.ops.secrets; in {