diff --git a/conf/ssh/sshd_config b/conf/ssh/sshd_config
index 63cd0f8fd..d9e33417c 100644
--- a/conf/ssh/sshd_config
+++ b/conf/ssh/sshd_config
@@ -100,11 +100,11 @@ Match Group sftp.app,!ssh.app
     PermitTunnel no
     PermitUserRC no
     PasswordAuthentication {{ password_authentication }}
-
+{% if allow_root_on_localnet == "true" %}
 # root login is allowed on local networks
 # It's meant to be a backup solution in case LDAP is down and
 # user admin can't be used...
 # If the server is a VPS, it's expected that the owner of the
 # server has access to a web console through which to log in.
 Match Address 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,169.254.0.0/16,fe80::/10,fd00::/8
-    PermitRootLogin yes
+    PermitRootLogin yes{% endif %}
diff --git a/hooks/conf_regen/03-ssh b/hooks/conf_regen/03-ssh
index 832e07015..045bd7497 100755
--- a/hooks/conf_regen/03-ssh
+++ b/hooks/conf_regen/03-ssh
@@ -18,6 +18,7 @@ do_pre_regen() {
     export compatibility="$(yunohost settings get 'security.ssh.ssh_compatibility')"
     export port="$(yunohost settings get 'security.ssh.ssh_port')"
     export password_authentication="$(yunohost settings get 'security.ssh.ssh_password_authentication')"
+    export allow_root_on_localnet="$(yunohost settings get 'security.ssh.ssh_allow_root_on_localnet')"
     export ssh_keys
     export ipv6_enabled
     ynh_render_template "sshd_config" "${pending_dir}/etc/ssh/sshd_config"
diff --git a/locales/en.json b/locales/en.json
index 9a427b159..4d7f84e8b 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -423,6 +423,8 @@
     "global_settings_setting_ssh_compatibility_help": "Compatibility vs. security tradeoff for the SSH server. Affects the ciphers (and other security-related aspects). See https://infosec.mozilla.org/guidelines/openssh for more info.",
     "global_settings_setting_ssh_password_authentication": "Password authentication",
     "global_settings_setting_ssh_password_authentication_help": "Allow password authentication for SSH",
+    "global_settings_setting_ssh_allow_root_on_localnet": "Permit root from localnet",
+    "global_settings_setting_ssh_allow_root_on_localnet_help": "Allow root login from the local network",
     "global_settings_setting_ssh_port": "SSH port",
     "global_settings_setting_ssowat_panel_overlay_enabled": "Enable the small 'YunoHost' portal shortcut square on apps",
     "global_settings_setting_portal_theme": "Portal theme",
diff --git a/share/config_global.toml b/share/config_global.toml
index fcbb95ba5..24bdab66e 100644
--- a/share/config_global.toml
+++ b/share/config_global.toml
@@ -45,6 +45,12 @@ name = "Security"
         yes = "yes"
         no = "no"
 
+        [security.ssh.ssh_allow_root_on_localnet]
+        type = "boolean"
+        default = true
+        yes = "true"
+        no = "false"
+
     [security.nginx]
     name = "NGINX (web server)"
         [security.nginx.nginx_redirect_to_https]