diff --git a/tasks/main.yml b/tasks/main.yml
index 09ec588..bbccc81 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -19,7 +19,7 @@
       path: "{{ rootpath }}/root/.ssh"
       state: directory
       owner: root
-      group: root
+      group: "{{root_group}}"
       mode: 0700
 
   - name: write authorized_keys file for user root
@@ -27,7 +27,7 @@
       src: ssh_root_authorized_keys.j2
       dest: "{{ rootpath }}/root/.ssh/authorized_keys"
       owner: root
-      group: root
+      group: "{{root_group}}"
       mode: 0600
 
   - name: create ssh host keys
diff --git a/templates/ssh_sshd_config.j2 b/templates/ssh_sshd_config.j2
index ae16b3a..20adc8e 100644
--- a/templates/ssh_sshd_config.j2
+++ b/templates/ssh_sshd_config.j2
@@ -32,13 +32,8 @@ AuthenticationMethods publickey
 # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
 LogLevel VERBOSE
 
-# Root login should not be allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user:
-#
-# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
-# Additionally, only tools such as systemd and auditd record the process session id.
-# On other OSes, the user session id is not necessarily recorded at all kernel-side.
-# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
-PermitRootLogin yes # but we need it to login from dom0
+PermitRootLogin yes
+UseDNS no
 
 # Use kernel sandbox mechanisms where possible in unprivilegied processes
 # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
diff --git a/vars/main.yml b/vars/main.yml
new file mode 100644
index 0000000..640c44a
--- /dev/null
+++ b/vars/main.yml
@@ -0,0 +1 @@
+root_group: "{% if ansible_os_family  == 'FreeBSD' %}wheel{% else %}root{% endif %}"