diff --git a/flake.nix b/flake.nix
index 0b44d9e..63167b0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -238,6 +238,7 @@
             modules = [
               ./system/machine/T400/configuration.nix
               ./system/modules/laptop.nix
+              ./system/modules/ssh.nix
               # No t400-specific profile exists; compose the generic ThinkPad +
               # laptop/SSD/Intel building blocks (tp_smapi/acpi_call for battery
               # thresholds, SSD + microcode defaults).
@@ -261,6 +262,7 @@
             modules = [
               ./system/machine/MacPro31/configuration.nix
               ./system/modules/desktop.nix
+              ./system/modules/ssh.nix
               inputs.nixos-hardware.nixosModules.common-pc-ssd
               inputs.nixos-hardware.nixosModules.common-cpu-intel
               ./lyrathorpe/swaywm.nix
diff --git a/system/modules/ssh.nix b/system/modules/ssh.nix
new file mode 100644
index 0000000..ee2423a
--- /dev/null
+++ b/system/modules/ssh.nix
@@ -0,0 +1,19 @@
+# Key-only SSH hardening, imported by the hosts that run sshd (T400, Mac Pro).
+# The host config still does `services.openssh.enable = true` and opens port 22
+# next to where it documents the listening service; this module only tightens
+# the policy and installs the authorized key, so a host opting into sshd cannot
+# accidentally ship password/root login.
+{ username, ... }:
+{
+  services.openssh.settings = {
+    PasswordAuthentication = false; # keys only
+    KbdInteractiveAuthentication = false; # no keyboard-interactive fallback
+    PermitRootLogin = "no";
+  };
+
+  # The key permitted to log in as the primary user. Add more entries here as
+  # new client machines are provisioned.
+  users.users.${username}.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDxHvdMTOzpFWUFMtCP7C/4tIOUO3GIO2QPvaifSnWH lyrathorpe@Lyra-MBA"
+  ];
+}