diff --git a/Dockerfile b/Dockerfile
index d913b7380604f534b885b5e36c9cb00c4e317ba8..36bd098eedef773f6d0953095022cbefa03fb405 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -68,13 +68,14 @@ ARG APPSTREAM_REPO=rhel-9-for-x86_64-appstream-rpms
 ARG SCITAS_REPO=rhel-9-for-x86_64-appstream-rpms
 
 RUN yum install -y --enablerepo=${APPSTREAM_REPO} \
-    sudo openldap-clients \
+    sudo openldap-clients openssh-server \
     && yum -y clean all && rm -fr /var/cache
 
 RUN yum install -y --enablerepo=${SCITAS_REPO} \
     nvslurm-plugin-pyxis enroot enroot+caps \
     && yum -y clean all && rm -fr /var/cache
 
+COPY sshd_config /app/sshd_config
 
 COPY entrypoint.bash /entrypoint.bash
 COPY cryosparc.sh /cryosparc.sh
diff --git a/cryosparc.sh b/cryosparc.sh
index 494b23e054b842ecbaad2b87448d885daaab3120..9fd4e20c7ddc9d220d645caa113b5d582defa1ea 100755
--- a/cryosparc.sh
+++ b/cryosparc.sh
@@ -157,6 +157,11 @@ if [ "${CRYOSPACE_ADD_JOB_LANES}" == "1" ]; then
   cd ${CRYOSPARC_DATADIR}
 fi
 
+if [ "${CRYOSPARC_SSHD_SERVER}" == "1" ]; then
+  /usr/sbin/sshd -f ${CRYOSPARC_DATADIR}/ssh/sshd_config
+fi
+
+
 # local worker
 if [ "${CRYOSPARC_LOCAL_WORKER}" == "1" ]; then
   echo "Starting cryosparc local worker for ${CRYOSPARC_MASTER_HOSTNAME}..."
diff --git a/entrypoint.bash b/entrypoint.bash
index c1b34b187c40b62a6a978d6436d8955e0473697f..c7fb42615fdb1835e2eb5ebb60842510f0c05864 100755
--- a/entrypoint.bash
+++ b/entrypoint.bash
@@ -213,6 +213,19 @@ ln -sf ${CRYOSPARC_DATADIR}/run ${CRYOSPARC_MASTER_DIR}/run
 chown ${U_NAME} ${CRYOSPARC_MASTER_DIR}/
 chown ${U_NAME} ${CRYOSPARC_WORKER_DIR}/
 
+mkdir -p ${CRYOSPARC_DATADIR}/ssh/etc/ssh
+cp /app/sshd_config ${CRYOSPARC_DATADIR}/ssh
+
+sed -i -e "s|^HostKey /etc/ssh/|HostKey ${CRYOSPARC_DATADIR}/ssh/etc/ssh/|g" ${CRYOSPARC_DATADIR}/ssh/sshd_config
+
+if [ ! -e ${CRYOSPARC_DATADIR}/ssh/etc/ssh/ssh_host_ecdsa_key ]; then
+    ssh-keygen -A -f ${CRYOSPARC_DATADIR}/ssh
+fi
+
+chown ${U_NAME} -R ${CRYOSPARC_DATADIR}/ssh
+chmod 700 ${CRYOSPARC_DATADIR}/ssh/etc/ssh
+
+
 #cat ${CRYOSPARC_MASTER_DIR}/config.sh
 # ls -lah ${CRYOSPARC_MASTER_DIR}
 
diff --git a/sshd_config b/sshd_config
new file mode 100644
index 0000000000000000000000000000000000000000..25c3c620a9ea455119f1cfa5887b7d87afc80564
--- /dev/null
+++ b/sshd_config
@@ -0,0 +1,122 @@
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /app/etc/ssh/sshd_config.d/*.conf
+
+Port 22
+#AddressFamily any
+ListenAddress 0.0.0.0
+#ListenAddress ::
+
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin no
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server