diff --git a/etc/ssh/sshd_config.d/README.md b/etc/ssh/sshd_config.d/README.md
index 91bf348d..67ed4b2b 100644
--- a/etc/ssh/sshd_config.d/README.md
+++ b/etc/ssh/sshd_config.d/README.md
@@ -1,3 +1,7 @@
 sshd_config should include something like
 
 Include /etc/ssh/sshd_config.d/*.conf
+
+## See also
+
+https://infosec.mozilla.org/guidelines/openssh
diff --git a/etc/ssh/sshd_config.d/basic-security.conf b/etc/ssh/sshd_config.d/basic-security.conf
index a586294c..6455a05a 100644
--- a/etc/ssh/sshd_config.d/basic-security.conf
+++ b/etc/ssh/sshd_config.d/basic-security.conf
@@ -5,9 +5,14 @@ HostKey /etc/ssh/ssh_host_ed25519_key
 # Includes public keys in logins
 LogLevel VERBOSE
 
-# root login should probably be denied entirely, but key is better than
-# password
-PermitRootLogin prohibit-password
-
+# No direct root login, keys might be ok, but audit trail
+PermitRootLogin no
 # Passwords are bad
 PasswordAuthentication no
+AuthenticationMethods publickey
+
+# Doesn't exist in Fedora
+#Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
+
+# Use kernel sandbox mechanisms where possible in unprivileged processes
+UsePrivilegeSeparation sandbox